ISACA Kolkata Newsletter march 2010
- 2. March 2010, Volume 12
Contents
3 From the Desk of the President
4 2009-10 Member Team
5 Blackmailing - “Social Engineering”
7 Password–Its strength and susceptibility of being cracked
13 News & Update from ISACA USA
Invitation to write articles
Members, academicians and others are requested to send
their original articles / jokes / puzzles for inclusion in the
newsletter to Rajat Boobna - News Letters Editor at
rajatboobna@gmail.com
Isacakolkata@gmail.com
Disclaimer:
Disclaimer ISACA Kolkata Chapter does not warrant or assume any legal liability or responsibility for the accuracy,
completeness, or usefulness of any information or process disclosed herein, including all the articles that have been
incorporated from various sources wherein the copyright of the documents might be in position with the owner himself. It
should neither be regarded as comprehensive nor sufficient for making decisions, nor should it be used in place of
professional advice
©2009 ISACA. All rights reserved. ISACA Kolkata Chapter. 2
- 3. March 2010, Volume 12
From the desk of the President
Dear Professional Colleague,
It is indeed a pleasure to communicate with esteemed members of the profession.
We held our Annual Conference on 6th of February at Hotel Senator where eminent speakers
from the industry deliberated on our theme ‘Security without Borders’. The function was a grand
success and appreciated by one and all. I take this opportunity to thank everyone who directly
or indirectly worked hard to make the occasion successful. The Seminar generated a lot of
positive interest in the industry.
ISACA, Kolkata Chapter is presenting the March 2010 issue of our e-newsletter. We are proud
to say that the newsletter has generated a lot of interest and people are looking forward to its
publication.
In this connection, may I request all of you to kindly submit articles, experiences, quiz ,
knowledge etc on the area of interest to professional colleagues so that the newsletter becomes
more coveted.
I take this opportunity to thank Sri Rajat Boobna and his team for undertaking the task
voluntarily and continuously striving to improve the quality of the newsletter.
We invite suggestions from you all for further development of the Chapter .
We are approaching the end of the financial year and everybody will become professionally
busy. I wish you all success in your endeavors.
Best Regards,
Aveek Gupta, CISA Dated: 19.03.2010
President, ISACA, Kolkata Chapter
©2009 ISACA. All rights reserved. ISACA Kolkata Chapter. 3
- 4. March 2010, Volume 12
2009-2010 Member Team
Aveek Gupta Subrata Roy
President Membership Dir.
9830530045 9831004140
aveek.gupta@gmail..com rcpl@gmail.com
Kaushik Nath Krishna Chanani
Vice President Joint Secretary
9830288882 kkc@cal2.vsnl.net.in
tbird8117@gmail.com
Pankaj Kakarania
Vinod Agarwal Program Chair
Secretary 9831447714
9748737963 pankajkakarania@gmail.com,
vinod@rabcoindia.com
Suvendu Chander
Immediate Past-President
Rajat Boobna 9830086986
Treasurer & News letter editor
ca.suvendu@gmail.com
9831195559
rajatboobna@gmail.com
Members
Syamal Nayak
CISA Coordinator
Piyali Basu
piyalibasu@hotmail.com
9831031010
snayak@itservicesonline.com
Prashant Verma
pverma@gmail.com
Dibyendu Basu
CISM Coordinator
Vivek Gupta
9831004140 vivek.gupta@allahabadbank.in
dbasu.personal@gmail.com
©2009 ISACA. All rights reserved. ISACA Kolkata Chapter. 4
- 5. March 2010, Volume 12
Blackmailing- “SOCIAL ENGINEERING”
By Vicky Shah.
“Human Behavior is the Biggest Risk in Security”
State: Maharashtra
City: Mumbai
Sections of Law: 292, 389, 420, 465, 467,
468, 469, 471, 474 IPC; r/w 67 of IT Act
2000
Internet is anonymous. It is believed that it exchanges that had taken place earlier
allows users to hide themselves and play between the victim and various ‘girls’. In
safe. Imagine a situation where you are addition, the accused led the victim to
lured to someone online. You need to be believe that one of the ‘girl’ who used to
sure of who the person is on the other side; chat with him committed suicide and the
is he/she what he/she claims to be? victim was responsible for it. The accused
also sent fake copies of the letters from CBI,
This case story is about an accused who High Court of the Metro where the ‘girl’ was
posed to be a young girl living in one of the living, New Your Police & Some University,
metros in India. The accused impressed a etc…
NRI working in Middle East to enter into an
email correspondence. The accused The victim lived in constant fear of being
introduced many female characters and arrested in connection with the suicide over
used various email ids to chat and a year and half. He was afraid and nervous.
correspond with the victim. The victim He paid the accused a sum of INR 1.25
believed that he was actually corresponding Crores presumably to bribe the concerned
with different girls. They met on one of the officers and officials that were supposedly
popular online chat group. investigation the suicide and to compensate
the dead girl’s family for the loss of her
Influencing the victim and winning his income. The accused created fear in victims
confidence the accused asked him for mind such that he was constantly and
money and gifts. The victim complied with continuously under the threat of being
the requests in the hope of receiving arrested by the police.
physical favors from the ‘girls’ he was Due to the pressure and stress experienced
introduced with and was chatting from over by the victim, he himself contemplated
past few months. However, after a period of suicide.
time, when things were not materialising
and the victim could not foresee the favours Important Note:
he stopped online correspondences. Had the victim been alert and controlled
his emotions of lust at first instance of
Due to this the accused started blackmailing email exchange he would have avoided
the complainant by referring to the email the chaotic situation and restrained
©2009 ISACA. All rights reserved. ISACA Kolkata Chapter. 5
- 6. March 2010, Volume 12
himself of being an online victim that investigation was thorough and
held him under such an agony. professional.
Investigation Approach: Learning’s:
Frustrated and helpless the victim came 1. Avoid being over friendly with
over to India and surrendered himself to someone online without knowing
Law Enforcement Authorities. He handed him/her personally
over all the email correspondence to the 2. Avoid getting into financial
officers that he had. There was no email or transaction with unknown or
clue that could be traced to the Metro where anonymous person online
the girl who committed suicide lived. 3. Keep trail of all possible email
However, there were few interesting emails communication
that took the investigating officers to the 4. Keep trail of bank statements and
corporate office of a large cement company transaction details
and lead them to a residence address in 5. Control emotions and do not
one of the Metro other than the one where anticipate any favors - intangible
the girl died. Officers conducted a raid at or tangible
both the places.
Disclaimer:
In the raid one computer, two laptops, This story is for educational and learning
seven mobile phones and a scanner were purpose. You can use the information
seized. The seized equipment that was provided here with proper credits. I have
recovered was sent to the office of the tried not to hide or miss any facts or
forensic examiner, who found all the information as far as possible. Important
evidences of e-mails, chatting details, etc… Note and Learning’s provided above in
in the laptops and the computer. the case story are my personal views
about the incident which I feel should be
Also, during the investigation, property shared. Any errors, omissions,
worth INR 9 Lakhs was seized, along with misstatements, and misunderstandings
cash worth INR 3 Lakhs. The total flow of set forth in the story are sincerely
the extorted money was traced from the apologized. Relying on the above
bank in Middle East where the victim was contents will be sole responsibility of the
staying to the account of the accused users. Inspired from Compilation of
person in India. Cases book by KPMG and NASSCOM.
The case is charge sheeted and matter is Please feel free to contact the author on
subjudice. The IO of this case won the first vicky@cybercrimes.in for any
runner up position for the India Cyber Cop clarification if required. The author
Award 2005 (Initiative of Mumbai Police and sincerely appreciates your time in
NASSCOM). providing your views, criticisms,
suggestions for improvements and frank
This case is a classic example where social feedback.
engineering means are used in playing with
human emotions and psychology. The “Human Behaviour is the Biggest Risk in
officer’s response was swift and the case Security – Vicky Shah”
©2009 ISACA. All rights reserved. ISACA Kolkata Chapter. 6
- 7. March 2010, Volume 12
Password-Its Strength and susceptibility of being
cracked
By Gautam Basu,
CISA,OCP,MCP.
What is a password ? dumpster diving and software vulnerabilities.
Password is a form of authentication where
a string of characters entered is compared Password policy.
to a stored value associated with the
specific user ID. A password policy may be used as a guide to
choosing satisfactory passwords. They are
Password Strength. usually intended to:
Password strength is a measure of the
effectiveness of a password in resisting • ensure the passwords are suited to the
guessing and brute-force attacks. Usually it target population
estimates how many trials an attacker who • advise/recommend users regarding the
does not have direct access to the handling of their passwords
password would need, on an average, to • recommend a requirement to change
correctly guess it. The strength of a any password which has been lost or
password is a function of length, complexity, compromised (password change policy),
and randomness. and perhaps that no password be used
Using strong passwords lowers overall risk longer than a limited time (password
of a security breach, but strong passwords expiration policy)
do not replace the need for other effective • some policies prescribe the pattern of
security controls. The effectiveness of a characters which passwords must
password of a given strength is strongly contain
determined by the design and
implementation of the authentication system For example, password expiration is often
software, particularly (i) how frequently covered by password policies. Password
password guesses can be tested by an expiration serves two purposes:
attacker and (ii) how securely information on
user passwords is stored and transmitted. • if the time to crack a password is
However, risks are also posed by several estimated to be , let us assume, 15
means of breaching computer security days, password expiration time fewer
which are unrelated to password strength. than 15 days may help ensure
Such means include wiretapping, phishing, insufficient time for an attacker.
keystroke logging, social engineering,
©2009 ISACA. All rights reserved. ISACA Kolkata Chapter. 7
- 8. March 2010, Volume 12
• if a password has been hard to remember in practice. The imposition of
compromised, requiring it to be a requirement for such passwords in a
changed regularly may limit the password policy may encourage users to write
access time for the attacker them down, store them in PDAs or cellphones,
or share them with others as a safeguard
Some arguments are there in air against against memory failure. These practices
password expiration. It is believed by a increase security risks. Some people suggest
section that recognising the reality while using multiple
complex passwords.
• asking users to frequently change Security expert Bruce Schneier recommends
passwords encourages simple, writing down complex passwords:
weak, passwords.
• if one has a truly strong password, Simply, people can no longer remember
there is little point in changing it, passwords good enough to reliably defend
since the existing password is against dictionary attacks, and are much
already strong. Changing passwords more secure if they choose a password too
which are already strong merely complicated to remember and then write it
introduce risk that the new password down. We're all good at securing small pieces
may be less strong. However, since of paper. I recommend that people write
any compromised password is weak, their passwords down on a small piece of
the possibility of compromise must paper, and keep it with their other valuable
be considered in estimating
small pieces of paper: in their wallet.—Bruce
password strength.
Schneier 2005
Differences in opinions and controversies The following measures may increase
are there regarding what should and/or acceptance of strong password requirements, if
should not be included in the password carefully used:
policy. However a clearly stated password
policy and proper implementation as per the • a training program. Also, updated
guidelines helps strengthening the system training for those who fail to follow the
framework. password policy (lost passwords,
passwords of inadequate strength etc. ).
Handling passwords • reward strong password users by
reducing the rate, or eliminating
Among the hardest passwords to crack are altogether, the need for password
long ( the longer the better), high entropy changes (password expiration). The
character strings(Information entropy is the strength of user-chosen passwords can
same as randomness. A string of random be estimated by automatic programs
letters and numbers along the lines of which inspect and evaluate proposed
"5f78HJ2Z2Xp4V7Vb6" can be said to have passwords, when setting or changing a
high information entropy, in other words password.
large amounts of entropy, while “Liza of • a thorough account closure process for
Lambeth” can be said to have low departing users and/or a process to
information entropy.). They resist brute display to each user the last login date
force attacks (i.e., many characters) and and time with the intention that the user
guessing attacks (i.e., high entropy). may notice unauthorized access,
However, such passwords are often also suggesting a compromised password
©2009 ISACA. All rights reserved. ISACA Kolkata Chapter. 8
- 9. March 2010, Volume 12
• allow users to reset their passwords Guessing
via an automated system. However, Passwords can sometimes be guessed by
some such systems are themselves humans with knowledge of the user's personal
insecure; for instance, weak (or easily information. Examples of guessable passwords
guessed, or insufficiently frequently include:
changed) password reset keys bypass
the advantages of a strong password
• blank (none)
system.
• the words "password", "passcode",
"admin", name of the organization and
their derivatives
What is Password Cracking? • a row of letters from the qwerty
Password cracking is the process of keyboard—(qwerty itself, asdfg, or
recovering password from data that has qwertyuiop)
been stored in or transmitted by a computer • the user's name or login name
system. A common approach is to • the name of their significant other , a
repeatedly try guesses for the password. friend, relative or pet
The purpose of password cracking might be • their birthplace or date of birth, or a
friend's or a relative's birthplace or date
(i) to help a user recover a of birth.
forgotten password (though • their automobile license plate number,
installing an entirely new or a friend's, or a relative's
password is less of a security • their office telephone number, residence
risk, but involves system telphone number or most commonly,
administration privileges), their mobile number.
(ii) to gain unauthorized access to • Their office or residence number or any
a system, part of address
(iii) a preventive measure by • a name of a celebrity they like
system administrators to check • a simple modification of one of the
for easily crackable preceding, such as suffixing a digit,
passwords. particularly 1 or a , or reversing the
order of the letters.
Password cracking may be utilized to gain • a swear word
access to digital evidence for which a court
has allowed access but the particular file's Personal data about individuals are now
access is restricted. To gain unauthorized available from various sources, many on-line,
access to a system, social engineering is and can often be obtained by someone using
more lethal than merely guessing. Also social engineering techniques, such as posing
Social Engineering involves lower cost in as an opinion surveyor or a security control
comparision with other techniques which checker. Attackers who know the user may
demand investment in hardwares and have information as well. For example, if a user
softwares. chooses the password "CalUniv2002" because
he graduated from University of Calcutta in
One of the most common questions is how
2002, an associate of that person having a
to go about cracking a password. The only
malafide intention might be able to guess the
way to really implement effective security is
password.
to understand how the hackers exploit
security weaknesses.
©2009 ISACA. All rights reserved. ISACA Kolkata Chapter. 9
- 10. March 2010, Volume 12
Guessing is particularly effective with has claimed that he was able to get into the
systems that employ self-service password military's networks simply by using a Perl script
reset if anybody is smart enough to guess that searched for blank passwords. His report
answers to the security questions. suggests that there were computers on these
Dictionary attacks. networks with no passwords at all!
A dictionary based password cracker I think we need to look into our behaviour
software contains a database filled with pattern and day to day practices we resort to.
words from the dictionary, common names Cracking programs exist which accept personal
and often catch phrases from popular information about the user being attacked and
movies. In order to have a secure generate common variations for passwords
password, a person needs to mix random suggested by that information.
numbers, letters and symbols. Such an Brute force attack.
action makes the password immune to
dictionary-based cracks because random A brute-force cracker is used to crack
character strings reduce the possibility of passwords consisting of random character
finding them in the cracking utility's strings. Brute force works by trying every
dictionary. possible combination of numbers, letters and
symbols until the password is revealed.
Users often choose weak passwords.
Examples of insecure choices include the A process of trying every possible password is
above list (in guessing section), plus single known as a brute force attack. Theoretically, a
words found in dictionaries, given and family brute force attack will always be successful
names, any too short password (usually since the rules for acceptable passwords must
thought to be 6 characters or less), or any be publicly known. But as the length of the
password meeting a too restrictive and password increases, so does the number of
hence predictable pattern (eg, alternating possible passwords. This method is unlikely to
vowels and consonants). Repeated be practical unless the password is relatively
research has demonstrated that a good small. However, techniques using parallel
percentage of user-chosen passwords are processing can reduce the time to find the
readily guessable by sophisticated cracking password in proportion to the number of
programs armed with dictionaries and, computer devices (CPUs) in use. This depends
perhaps, the user's personal information. heavily on whether the prospective attacker has
access to the hash of the password, in which
Some users neglect to change the default case the attack is called an offline attack (it can
password that came with their computer be done without connection to the protected
system account. Some administrators resource), or not, in which case it is called an
neglect to change default account online attack. Offline attack is generally much
passwords provided by the operating easier, because testing a password is reduced
system vendor or hardware supplier. If to a quickly calculated mathematical
these are not changed at system computation (i.e., calculating the hash of the
configuration time, anyone familiar with password to be tried and comparing it to the
such systems will have 'cracked' an hash of the real password). In an online attack
important password. Such service accounts the attacker has to actually try to authenticate
often have higher access privileges than himself with all the possible passwords, where
that of a normal user account. arbitrary rules and delays can be imposed by
Gary McKinnon, accused of perpetrating the the system and the attempts can be logged.
"biggest military computer hack of all time",
©2009 ISACA. All rights reserved. ISACA Kolkata Chapter. 10
- 11. March 2010, Volume 12
A common password length password for more than one account."
recommendation is eight or more randomly However, an ordinary computer user may have
chosen characters combining letters, dozens of password-protected accounts. Users
numbers, and special characters with multiple accounts (and passwords) often
(punctuation, etc). This recommendation give up and use the same password for every
makes sense for systems using stronger account. When varied password complexity
password hashing mechanisms such as requirements prevent use of the same
‘md5-crypt’ and the ‘Blowfish-based crypt’, (memorable) scheme for producing high
but is inappropriate for many systems which strength passwords, overly simplified
may store legacy LAN Manager hash which passwords will often be created to satisfy
are prone to brute force attacks. Systems irritating and conflicting password requirements.
which limit passwords to numeric characters “……I may have 15 different passwords. If I am
only, or upper case only, or, generally, not allowed to write any of them down, guess
which exclude possible password character what I am going to do? I am going to use the
choices also make brute force attacks same password on every one of them…..”.
easier. Using longer passwords in these
cases (if possible) can compensate for the If passwords are written down, they should
limited allowable character set. Of course, never be kept in obvious places such as
even with an adequate range of character address books, under drawers or keyboards or
choice, users who ignore that range (e.g., behind pictures. Perhaps the worst, but all too
using only upper case alphabetic common location is a sticky note on the
characters, or digits alone) make brute force computer monitor. Better locations are a safe
attacks against their accounts much easier. deposit box or a locked file approved for
information of sensitivity comparable to that
Generic brute-force search techniques are protected by the password; most locks on office
often successful, but smart brute-force file cabinets are far from adequate. Software is
techniques, which exploit knowledge about available for popular hand-held computers that
how people tend to choose passwords, can store passwords for numerous accounts in
pose an even greater threat. encrypted form. Another approach is to use a
Success for offline attacks thus depends single password for low-security accounts and
partly on an attacker's ingenuity and select separate, strong passwords for a smaller
resources (e.g., available time, computing number of high-value applications such as
power, etc.), the latter of which will increase online banking.
as computers get faster. Most commonly
The benefits of precomputation and
used hashes can be implemented using
memorization can be nullified by randomizing
specialized hardware, allowing faster
the hashing process. This is known as salting.
attacks. Large numbers of computers can
When the user sets a password, a short,
be harnessed in parallel, each trying a
random string called the salt is suffixed to the
separate portion of the search space.
password before encrypting it; the salt is stored
Unused overnight and weekend time on
along with the encrypted password so that it
office computers are sometimes used for
can be used during verification. Since the salt is
this purpose.
usually different for each user, the attacker can
Prevention against cracking by no longer construct tables with a single
unwanted people. encrypted version of each candidate password.
Computer users are generally advised to Early Unix systems used a 12-bit salt. Attackers
"never write down a password anywhere, no could still build tables with common passwords
matter what" and "never use the same encrypted with all 4096 possible 12-bit salts.
©2009 ISACA. All rights reserved. ISACA Kolkata Chapter. 11
- 12. March 2010, Volume 12
However, if the salt is long enough, there A security token (or sometimes a hardware
are too many possibilities and the attacker token, hard token, authentication token, USB
must repeat the encryption of every guess token, cryptographic token) may be a physical
for each user. Modern methods such as device that an authorized user of computer
‘md5-crypt’ and ‘bcrypt’ use salts of 48 and services is given for authentication. The term
128 bits respectively. may also refer to software tokens.
The best method of preventing password Security tokens are used to prove one's identity
cracking is to ensure that attackers cannot electronically (as in the case of a customer
get access even to the encrypted password. trying to access their bank account). The token
For example, on the Unix operating system, is used in addition to or in place of a password
encrypted passwords were originally stored to prove that the customer is who they claim to
in a publicly accessible file /etc/passwd. On be. The token acts like an electronic key to
modern Unix (and similar) systems, on the access something.
other hand, they are stored in the file Hardware tokens are typically small enough to
/etc/shadow, which is accessible only to be carried in a pocket or purse and often are
programs running with enhanced privileges designed to attach to the user's keychain. Some
(ie, 'system' privileges). This makes it may store cryptographic keys, such as a digital
harder for a malicious user to obtain the signature, or biometric data, such as a
encrypted passwords in the first instance. fingerprint. Some designs feature tamper
Unfortunately, many common network resistant packaging, while others may include
protocols transmit passwords in cleartext or small keypads to allow entry of a PIN or a
use weak challenge/response schemes. simple button to start a generating routine with
Modern Unix systems have replaced some display capability to show a generated
traditional DES-based password hashing key number. Special designs include a USB
with stronger methods based on ‘MD5’ and connector, RFID functions or Bluetooth wireless
‘Blowfish’. Other systems have also begun interface to enable transfer of a generated key
to adopt these methods. For instance, the number sequence to a client system.
Cisco originally used a reversible Vigenere Now a days when most business entities
cipher to encrypt passwords, but now uses cannot imagine their existence without
md5-crypt with a 24-bit salt when the information systems, implementation of a strong
"enable secret" command is used. These password policy and practice is of paramount
newer methods use large salt values which importance. The techniques of password
prevent attackers from efficiently mounting cracking are to be explored by system
offline attacks against multiple user administrators and Information security persons
accounts simultaneously. The algorithms to safeguard the information system. To
are also much slower to execute which become a good cop one must have the
drastically increases the time required to knowledge of the techniques adopted by
mount a successful offline attack. thieves , though many a times the latter is found
Solutions like Security token give a formal successful in outwitting the former class!
‘proof answer’ by constantly shifting Acknowledgement : The author
password. Those solutions abruptly reduce acknowledges that he has taken reference
the timeframe for brute forcing (attacker from several openly available and public
needs to break and use the password within documents available on the internet. Due to
a single shift) and they reduce the value of lack of space, each reference could not be
the stolen passwords because of its short individually detailed.
time validity.
©2009 ISACA. All rights reserved. ISACA Kolkata Chapter. 12
- 13. March 2010, Volume 12
Calendar of Events
Conference Spotlight Dates of conferences/events are indicated in RED; other dates
and deadlines are indicated in BLACK.
International Conference
6-9 June 2010 March
1-2 March............. Information Security and Risk
Cancun, Mexico Management Conference, Bogota,
th
Now in its 38 year, the International Colombia
Conference promises to be an event not to 6-7 March............. Oceania Leadership Conference, Perth,
Australia
be missed. At this global forum, attendees 11 March .............. Deadline for contributions to COBIT® Focus,
will collaborate and connect with peers, and volume 2, 2010
17 March .............. Early-bird registration deadline for Training
discover the differing ways similar problems Week, Charlotte, North Carolina, USA
are solved around the world. Plus, there will 18 March .............. Deadline to submit Award Nominations
be opportunities to learn about recent 20-21 March......... Europe/Africa Leadership Conference,
Budapest, Hungary
ISACA research projects and best 21-24 March......... EuroCACSSM, Budapest, Hungary
practices, and obtain guidance on how to 22 March .............. Deadline for contributions to volume 4,
tackle the tough problems facing 2010, ISACA Journal
22-26 March......... Training Week, Dallas, Texas, USA
enterprises today. This year, sessions will 23 March .............. ISACA® e-Symposium
be presented and/or translated into English 31 March .............. Deadline to return 2009 tax information
packet to ISACA International Headquarters
and Spanish. For more information and to 31 March .............. Early-bird registration deadline for
register, please visit www.isaca.org/international. International Conference, Cancun, Mexico
Future Conferences and Training Weeks April
Upcoming events are noted in the Calendar 1 April ................... CRISC grandfathering opens
7 April ................... Final Registration deadline for the June
of Events. Events to keep in mind for early 2010 CISA/CISM/CGEIT exams
2010 include: 17-18 April............ North America Leadership Conference,
13-15 September 2010—Information Chicago, Illinois, USA
18-22 April 2010 .. North America CACS, Chicago, Illinois,
Security and Risk Management USA
Conference, Las Vegas, Nevada, USA 27 April ................. ISACA e-Symposium
30 April ................. Purge of nonrenewed members
13-17 September 2010—Training Week,
Orlando, Florida, USA ■ May
20 May................Deadline for contributions to volume 5,
Bookstore Update 2010, ISACA Journal
24-28 May ..........Training Week, Charlotte, North
Carolina, USA
New ISACA research and peer-reviewed
books are offered in the ISACA Bookstore,
including: Securing the Information Infrastructure
SharePoint Deployment and Governance Security, Audit and Control Features Oracle
Using COBIT® 4.1: A Practical Approach* Database, 3rd Edition*
Value Management Guidance for Assurance The Big Switch: Rewiring the World, from
Professional: Using Val IT™ 2.0* Edison to Google
The Risk IT Framework 2.0* Cloud Computing: Implementation,
The Risk IT Practitioner Guide* Management and Security
Fraud Analysis Techniques Using ACL Computer and Information Security
Information Storage and Management: Handbook
Storing, Managing and Protecting Digital How to Complete a Risk Assessment in 5
Information Days or Less
PCI Compliance, 2nd Edition Internal Controls Policies and Procedures
©2009 ISACA. All rights reserved. ISACA Kolkata Chapter. 13
- 14. March 2010, Volume 12
IT Financial Management individuals who elected to receive the e-mail notification.
Vulnerability Management Hard copy result letters were sent out to all exam
(* denotes ISACA published material) candidates the week of 1 February. Results also have
been posted to the candidate’s profile on the ISACA web
site. To ensure the confidentiality of scores, exam results
Prepare for the June 2010 ISACA certification exams are not reported by telephone or fax.
using ISACA’s latest study materials, available at
www.isaca.org/cisabooks, www.isaca.org/cismbooks CISA, CISM and CGEIT Applications
and www.isaca.org/cgeitbooks. To process applications more efficiently, exam passers
should gather all application documentation [verification
Visit the ISACA Bookstore at www.isaca.org/bookstore of work experience form(s) and any applicable university
or see the ISACA Journal Bookstore insert for additional transcript or letter] and send them together in one
information. Contact the Bookstore at package to ISACA International Headquarters.
bookstore@isaca.org or +1.847.660.5650. ■
Completed applications may be sent via fax to
Certification Update +1.847.253.1443 or through e-mail to
certification@isaca.org. Those wishing to send
January Certifications applications via post may use the address listed on the
In January 2010, 574 CISA, 134 CISM and 9 CGEIT application. If an application is submitted via fax or
candidates were awarded certification. e-mail, it is not necessary to also send the hard copy.
December 2009 Exam Results June 2010 Exam Registration
The results of the December 2009 exams were released
by one-time e-mail notification in late January to those
Registration for the June 2010 CISA, CISM and CGEIT
exams continues. The final registration deadline is 7 April
2010. Please refer to www.isaca.org/cisaboi, 2009 Central North America
www.isaca.org/cismboi or www.isaca.org/cgeitboi,
respectively, for more details on the exam. Registrants Unfunded PCM
can save US $50 by registering online at The 2009 Central North America Unfunded PCM took
www.isaca.org/examreg. place on
CISA, CISM and CGEIT Certification 7-8 November in Nashville, Tennessee, USA, at the
Renewals Opryland Hotel. Of the 30 chapters in the region, 19
attended this meeting. In addition to several breakout
Certified individuals who have not already renewed
sessions, five chapters presented throughout the
for 2010 should renew as soon as possible to avoid
weekend. The Omaha (Nebraska, USA) Chapter
revocation. Reminder invoices have been mailed.
presented on how their chapter is making changes to the
Renewal requires payment of the annual maintenance
way it communicates with its members. The Greater
fee and reporting the required CPE credits. The CISA,
Cincinnati (Ohio, USA) Chapter talked about how the
CISM and CGEIT CPE policies are available at
chapter finds and retains good leaders for their board.
www.isaca.org/cisacpepolicy,
The Detroit (Michigan, USA) and Middle Tennessee
www.isaca.org/cismcpepolicy and
(USA) chapters discussed how the chapters are holding
www.isaca.org/cgeitcpepolicy, respectively. The
successful and well-attended seminars and training
renewal process can be completed online at
events. The Winnipeg (Manitoba, Canada) Chapter
www.isaca.org/renew.
shared ways that chapter leaders can mitigate risks for
the chapter and its directors. All presentations can be
The CISA certification program was awarded the Best downloaded at www.isaca.org/area4. ■
Professional Development Grand Award and the Best
Professional Development (Scheme) Award from the
Hong Kong ICT Awards 2009. The Hong Kong ICT Research Update
Awards were established in 2006 under a collaborative
effort among industry, academia and the government. Monitoring of Internal Controls and IT
This publication provides guidance and tools for
New ISACA Certification: CRISC enterprises interested in applying IT to support and
The grandfathering program for ISACA’s new sustain the monitoring of internal control systems and IT.
certification program, Certified in Risk and Information It provides practical guidance for executing the
Systems Control™ (CRISC™, pronounced see-risk), monitoring process in general and for automating the
opens 1 April 2010. To learn more, visit monitoring process for increased efficiency and
www.isaca.org/crisc effectiveness. Effective IT-enabled monitoring can be of
©2009 ISACA. All rights reserved. ISACA Kolkata Chapter. 14
- 15. March 2010, Volume 12
benefit to senior management, which includes Upcoming ISACA Releases
governance bodies, the audit committee and the board • The Business Case Guide: Using Val IT™ 2.0
of directors. Customization of the approaches provided • Business Model for Information Security™ (BMIS™)
will be necessary to reflect the specific circumstances of • Career Guide for Information Security and Information
each enterprise. Assurance Professionals
Security, Audit and Control Features Oracle® E-Business
Suite, 3rd Edition
An exposure draft is scheduled to be posted in March at
www.isaca.org/itmonitoring for public comment.
©2009 ISACA. All rights reserved. ISACA Kolkata Chapter. 15