Archiv für Januar 2012

Summary of questions and important things to be mention from the IS Audit Webinar 26th of February 2012

Difference between Responsibility and Accountability:
Responsibility-someone takes care for,
Accountability – someone’s head is under the guillotine, if something goes wrong.

Audit a continuous process?

An (external) Audit is a project, as it has start date and end date.
Nevertheless there can be a Continuous Audit Initiative, raised by the internal audit department (Anm. interne Revision/Innenrevision)

Continuous Auditing Does Not Equal Continuous Monitoring
This difference has been identified and emphasized by the ISACA Standards Board.6 CA and CM may be defined as:
•    CA—A methodology used by auditors, typically assisted by technology, to perform audit procedures and issue assurance on a continuous basis (e.g., weekly, monthly)
•    CM—A process put in place by management, usually automated, to determine on a recurring and repetitive basis (e.g., weekly, monthly) if activities are in compliance with policies and procedures implemented by management
Why COBIT is not an Audit Methodology itself, but where it might be helpful – and for all ISACA Exams a brief overview of COBIT is necessary upfront Courses/Classes and for sure the EXAM itself.
Same for PMBOK – but brief overview is good enough – no deep knowledge is necessary and CMM(I) is thought throughout the courses/classes – at a level necessary for the exam, of course.

COBIT might be real helpful for assessment programme (eg. CSA/RCSA)
The COBIT Assessment Programme is a COBIT-based approach that enables the evaluation of selected IT processes. The assessment results provide a determination of process capability and can be used for process improvement, delivering value to the business, measuring the achievement of current or projected business goals, benchmarking, consistent reporting and organizational compliance.
The process capability is expressed in terms of attributes grouped into capability levels and the achievement of specific process attributes as defined in ISO/IEC 15504-2. Processes can be assessed individually or alternatively in logical groups. As such, scoping areas have been defined based on previously developed mappings, published by ISACA, which will allow for focused assessments. These scoping areas include:
•    Capability of IT processes to support cloud services
•    Capability of IT processes to support achievement of IT and business goals
•    Capability of IT processes to support SOX compliance
•    Capability of IT processes to support the enterprise governance of IT **
Assessment reports will include the level of capability achieved, the processes needing improvement and recommendations for improvement.
COBIT Practitioner Classes can be taken eg. at ISACA Germany Chapter e.V.

** if you are interested in Enterprise Governance of IT go for CGEIT Exam.
SO what’s the difference between an ongoing audit process and “controlling”?
An Audit can be about auditing Controls – either the right in place, if they are working etc.

An example you find on ISACA Website about Audit Application Security Controls
Prerequisites for Auditing Application Security
Application Security Layers
1.    Operational layer—This is the core of application security and is generally controlled through the security module of the application.
2.    Tactical layer—This is the next management layer above the operational layer. This includes supporting functions such as security administration, IT risk management and patch management.
3.    Strategic layer—This layer includes the overall information security governance, security awareness, supporting information security policies and standards, and the overarching IT risk management framework.
Operational Layer includes eg.
User accounts and access rights
Passsword Controls
Real important! Segregation of duties (SoD)
Segregation of duties is defined as:
A basic internal control that prevents or detects errors and irregularities by assigning to separate individuals responsibility for initiating and recording transactions and custody of assets to separate individuals.1

Risks Associated With Failure/Weak Application Security Controls
Standards and Guidance
Some of the standards and guidance that are available on application security are:
•    Control objectives for application security are more specifically defined in COBIT® 4.1, including DS5.3 Identity management, DS5.4 User account management and DS5.5 Security testing, surveillance and monitoring.3
•    ITAF™: A Professional Practices Framework for IT Assurance4 provides more guidance (including value drivers and risk drivers) on how to use COBIT to support the IT assurance/audit activities relevant to managing security.
•    ISACA® has published IT Audit and Assurance Guideline G38, Access Controls,5 which is as a valuable reference for auditing application security.
•    The Payment Card Industry (PCI) Data Security Standard (DSS)6 has prescribed two security compliance requirements that are specifically relevant to application security: Security Principle 6, ‘Develop and maintain secure systems and applications’ and Security Principle 8, ‘Assign a unique ID to each person with computer access’.
•    The ISO/IEC NP 27034 ‘Guidelines for application security’ was under development at the time of this writing.

Objectives and benefits of audits?
Objectives, Scope and Authority of IT Audit and Assurance Standards
Can be downloaded here (2.5 Meg)
A practical example is about objectives of Exchange 2010 Audit:
Table of Contents

I.     Introduction    4
II.     Using This Document    5
III.     Assurance and Control Framework    8
IV.     Executive Summary of Audit/Assurance Focus    9
V.     Audit/Assurance Program    14
1. Planning and Scoping the Audit    14
2. Preparatory Steps    16
3. Governance    18
4. Server Configuration    25
5. Network    34
6. Contingency Planning    34
VI.     Maturity Assessment    38
VII.     Maturity Assessment vs. Target Assessment    43
Appendix I. Exchange Server 2010—Server Roles    44
Appendix II. Exchange Server 2010 Transport Pipeline—Schematic    45
Appendix III. Specimen Exchange Server Management Role Hierarchy    46
More about and the possibility to download (members) or purchasing the book you can find here

a example about audit benefit is not directly the audit itself but like described here a assurance programme about using Social Media
Objective—The objective of the social media audit/assurance review is to provide management with an independent assessment relating to the effectiveness of controls over the enterprise’s social media policies and processes.
Scope—The review will focus on governance, policies, procedures, training and awareness functions related to social media. Specifically, it will address:
•    Strategy and governance—policies and frameworks
•    People—training and awareness
•    Processes
•    Technology

Table of Contents

I.     Introduction    5
II.    Using This Document    6
III.   Controls Maturity Analysis    9
IV.   Assurance and Control Framework    10
V.     Executive Summary of Audit/Assurance Focus    11
VI.     Audit/Assurance Program    14
1. Planning and Scoping the Audit    14
2. Strategy and Governance    15
3. People    19
4. Processes    22
5. Technology    24
VII.     Maturity Assessment    26
VIII.     Assessment Maturity vs. Target Maturity    30

it can be downloaded here (Member)
or purchased at ISACA
Any more questions?
Or leave a comment here – any valuable input is appreciated.
We will come back to you as soon as possible!


This free online webinar will provide you a brief overview, what’s covered by ISACA’s CISA and CISM certification programme – same will be held soon to cover what’s within the new CRISC programme.

Thursday, February 2nd directly after the PMP and CAPM Overview Class. 02.02.2012 5pm due to 7pm.


5 job practice areas as determined by ISACA:
1. The Process of Auditing Information Systems (14%)
2. Governance & Management of IT (14%)
3. Information Systems Acquistion, Development, & Implementation (19%)
4. Information Systems Operations, Maintenance, & Support (23%)
5. Protection of Information Assets (30%)
There is no prerequisite to take the exam; however, in order to apply for the certification you must meet the necessary experience requirements as determined by ISACA.


5 content areas:
1.Information Security Governance (23%)
2.Information Risk Management (22%)
3.Information Security Program Development (17%)
4.Information Security Program Management (24%)
5.Incident Management & Response (14%)

Next EXAM for both will be held on June 9th and early exam registration deadline is february 8th.

please register here for the Event –

Remark: this is not a refresher class & it’s not about COBIT (even some basic COBIT knowledge is necessary for CISA, CISM & CGEIT exam) – COBIT Classes are held for example by ISACA Germany e.V. themselves and ISACA’s RiskIT is based on COBIT, too –

Best Regards,

The PM-Webinar Team


New ISACA Certifcation Online classes for CRISC® will be held on (five Tuesdays in May/June) May 8,15,22,29 and June 5
all times are 6 PM to 10 PM German Time

CRISC Exam Training Course

Training Duration: 5 live webinar sessions of 4 hours each
(CRISC® Online Class will be conducted (five Tuesdays in May/June) May 8, 15, 22, 29 and June 5 all times 6 PM to 10 PM German Time)

Training Delivery Method: On-site, instructor-led course; or online, instructor-led course or hybrid

Instructor: Jay Ranade

Here are pictures from the Live On-site classes Fall 2011

Experienced IT control or audit or security or risk management professionals.  There is no prerequisite to take the exam; however, in order to apply for certification you must meet the necessary experience requirements as determined by ISACA.

What Problem Does This Training Help Solve?
Provides training to help candidates prepare for ISACA’s CRISC exam and learn IT Risk Management

Who Should Attend?
IT professionals interested in earning CRISC certification and learning IT Risk Management

Course Material:
Customized content-rich course handouts from ISACA/Jay Ranade and 300 Jay Ranade CRISC Axioms
Note: Ranade CRISC Axioms are 300 one line statements which summarize the essence of the profession of IT Risk Management. Just reading those 300 statements greatly enhances your chances of passing CRISC exam and deeply understanding the subject of IT Risk Management.

Course Syllabus:
This training course is for individuals preparing to take the Certified in Risk and Information Systems Control (CRISC) Exam.

In this course, professionals will learn the 5 job practice areas as determined by ISACA:

1.    Risk Identification, Assessment, and Evaluation (31%)
2.    Risk Response (17%)
3.    Risk Monitoring (17%)
4.    Information Systems Controls Design and Implementation (17%)
5.    Information Systems Control Monitoring and Maintenance (18%)
There is no prerequisite to take the exam; however, in order to apply for the certification you must meet the necessary experience requirements.

Exam Support:  Jay will answer any written questions up until the evening before the day of the exam. Please note that although questions will be sent by individuals, answers will be emailed to all attendees registered for the webinar. Identity of the question sender will not be disclosed. Jay will reserve the right to paraphrase the questions to enhance understanding.

Pricing 790 EUR incl. VAT

For ISACA Member price is CISA 520 EUR and CISM, CRISC 650 EUR incl VAT (if applicable)

Students and Military get a special price – please send us something that prove your state per email and we will tell you the pricing.

Price Paid: € 790
If Cancelled By
€ 790.00
Wednesday, April 27th, 2012
€ 395
Wednesday, May 2, 2012

*Regardless of the refund amount listed, the amount refunded will never exceed the amount paid.

If there are not enough participants we reserve the right to cancel the eSeminar 14 days prior to the event and refund the full amount paid.

Want to know more about Jay –

Here you can find our other classes, as well.

Beschreibung in deutscher Sprache –

21 CPE (as per rule)

Backend System for Students –

Best, Jutta Staudach.


Best Regards / Mit freundlichen Grüssen / Salutation cordiales
Jutta Edith Staudach

Risk Management Professionals International, German Division
Director of Global Certification seminars

Holsteiner Str. 4
D-40667 Meerbusch

Phone: +49.2132.6792142
Priv.: +49.2132.979199
Cell: +49.171.3833409

Risk Management Professionals International, Austrian Division
Director of Global Certification seminars

Vöslauerstrasse 46, A-2500 Baden bei Wien

PMP & CAPM Free Online Webinar

Dear Guests,

On February 2nd we will offer you a 2 hours free online webinar. After this you will have a brief overview about following topics:

The five process groups:

  1. Initiating
  2. Planning
  3. Executing
  4. Monitoring and Controlling
  5. Closing

And 9 Knowledge Areas:

  1. Project Integration Management
  2. Project Scope Management
  3. Project Time Management
  4. Project Cost Management
  5. Project Quality Management
  6. Project Human Resource Management
  7. Project Communications Management
  8. Project Risk Management
  9. Project Procurement Management

Which are decribed in the PMBOK® Guide by PMI® and used for passing the PMP® Exam.

Register here –

Best Regards,

Jutta Staudach.

Finding the Truth – Neuer Service der GeProS

13.01.2012 GeProS German Project Solutions bietet neuen Service PDU Cracker Barrell für Ihre Kunden
GeProS German Project Solutions bietet neuen Service PDU(R) Cracker Barrell für Ihre Kunden

Unter dem Namen PDU Cracker Barrel startet die German Project Solutions GmbH per 26. Januar 2012, eine jeweils am letzten Donnerstag des Monats stattfindende Veranstaltungsreihe, welche angehenden und bereits zertifizierten PMP®s (Project Management Professional des amerikanischen Projekt Management Institutes, PMI® ) beim Erhalt des PMP-Zertifikats unterstützt.

Das PDU Cracker Barrel hat das innovative Format: 90 Minuten interaktives Web-Meeting, 30 Minuten Diskussion und anschließend eine Lernzielkontrolle in dem GeProS Learning Management System. „Uns ist es wichtig, dass unsere Teilnehmer einen direkten Nutzen für ihre Arbeit mitnehmen“, sagt Ralf Friedrich, geschäftsführender Gesellschafter der GeProS, „gleichzeitig führt eine regelmäßige Teilnahme an den PDU Cracker Barrels zum Erhalt des PMP-Zertifikats“. Zum Erhalt des PMP müssen innerhalb von 3 Jahren 60 sogenannte PDU’s – Professional Development Units gesammelt werden. Die Teilnahme an einem PDU Cracker Barrel bringt 3 PDU’s.

Einige Themen werden auch für angehende CISAs (CISA(R) Certified Information Systems Auditor) als auch CRISC(R) (Certified in Risk and Information Systems Control) interessant sein. Beide Zertifikate werden durch die ISACA – Information Systems Audit Certification Association) vergeben.

Als weiteren Anreiz zur beruflichen Weiterbildung wird den 3 besten Teilnehmern des im Anschluss stattfindenden Quizzes ein einstündiges kostenfreies Mentoring im Bereich der von ISACA abgedeckten international anerkannten Zertifizierungsthemen angeboten. Die Sieger werden natürlich auch im Internet verkündet. Bei gleicher Punktezahl entscheidet genauso wie bei „Wer wird Millionär“ die Zeit: wer schneller ist, der hat die Nase vorn.

Interessant ist diese Seminarreihe auch für Personen die sich im Bereich Projektmanagement, Audit, Risk oder Sicherheitsmanagement weiterbilden wollen.

Die GeProS startet am 26.01.2012 mit dem Thema IS Audit mit Fokus auf Audit von Information Systems Themen basierenden Projekten. Das Besondere: Es wird das Thema aus der Sicht der Auditoren für Projektmanager vorgestellt.

Im Februar geht die Reihe mit dem Thema Control Self Assessment weiter.

Die Gebühr liegt bei EUR69,- plus Mwst. pro Teilnehmer. Wegen der internationalen Teilnahme wird der PDU Cracker Barrel in englischer Sprache durchgeführt.

Der PDU Cracker Barrel wird am 26.01.2012 durch Jutta Staudach, CISA, CISM moderiert. Frau Staudach ist Mitglied der ISACA seit 2009 und unter anderem erfolgreicher Teilnehmer der ISACA CISA und CISM Exam Item Writer Campaign 2009 und 2010 (Autor Prüfungsfragen).
Als Co-Moderator wird Herr Ralf Friedrich, PMP, ACC, BCC, CPCC, geschäftsführender Gesellschafter der GeProS und Mitglied der PMI seit 1999 sein.
Die GeProS freut sich über rege Teilnahme und sollten Sie noch Fragen haben, Frau Sandra Müller steht Ihnen gerne jederzeit unter folgender Adresse zur Verfügung –
Kontakt Media Relations/Pressedienst –
® PMI, PMP sind eingetragene Marken des amerikanischen Project Management Institutes
® CISA, CISM und CRISC sind eingetragene Marken der ISACA – Information Systems Audit and Control Association

GeProS – German Project Solutions GmbH
Sandra Müller
Dessauer Str. 79a
64807 Dieburg
+49 (0) 60 71 . 21 06 85

Die GeProS besteht aus einem internationale Team, welches sich aus erfahren(d)en Experten zusammen setzt. Dieses Team bietet eine einzigartige Kombination aus Methoden, Fähigkeiten und Wissen.

Die Lösungen haben ihre Wurzeln in verschiedenen Kommunikationsschulen, im Accelerated Learning (auch bekannt unter Suggestopädie oder Superlearning), dem Coaching nach den Grundsätzen der International Coach Federation (ICF) und den Standards des Project Management Institutes (PMI), der weltweit führenden Organisation im Bereich der Standardisierung im Projektmanagement.

Alle Teammitglieder sind in Berufsverbänden engagiert und gestalten aktiv deren Entwicklung und die Entwicklung neuer Wege im Projektmanagement . Wie zum Beispiel Ralf Friedrich, Geschäftsführer, als Program-Manager der ersten Version des OPM3®-Standards des PMI®, oder als Forschender im Bereich Virtuelle Arbeitswelten.

Die Kunden und deren Wachstum stehen im Mittelpunkt des Schaffens. Noch mehr: Erfolg ist das Ergebnis unserer Zusammenarbeit: Die Kunden werden stärker und handeln zielorientierter am Markt.


Sandra Müller
Dessauer Str. 79a
64807 Dieburg
+49 (0) 60 71 . 21 06 85


PMP’s gain PDU’s – PDU Cracker-Barrel

hier anmelden – Finding the Truth – How to audit a project according to the Information Systems Audit Standards

Your benefits:

1. Understand the objectives of an IS-audit

2. State the internal mindset of an IS-auditor

3. State the elements and the content of an engagement letter

4. Differentiate between an engagement letter and a audit charter and a project charter

5. Establishing and approving an audit charter

6. State the role of the audit committee

7. Define the relationship between the auditor, audit committee and the project manager

The structure of the PDU Cracker-Barrel

First there will be an interactive 90 minutes presentation about the 7 points above. Then there will be an informal 30 minutes exchange among the participants. Finally there will be a 40 question multiple choice test. Then you will receive the PDU-code and can claim 3 PDU’s

About the facilitator of the PDU Cracker Barrel

Jutta Staudach CISA certified (Information Systems Auditor – ISACA) since 2009 and CISM certified (Information Security Manager – ISACA) since 2010.

Jutta has a sound experience in project management and project portfolio management for over 10 years. She managed projects of a business value of over 20 Mio USD.

Jutta is a highly skilled innovative out of the box thinker, who enjoys challenging assignments. She has a strong ability to build up a good team spirit in multicultural environments by establishing mutual trust with due regard for diligence and care.

PDU’s will be provided by GeProS –

Internet Blog Verzeichnis TopOfBlogs Blogverzeichnis blogoscoop Blog Top Liste - by Blogverzeichnis - Blog Verzeichnis Blogverzeichnis IT-Beratung

XML Sitemap | Copyright © 2010 Jutta Staudach. All Rights Reserved. | Konzeption & Gestaltung crsMedia Ltd.