See www.isaca.org/riskitbooks
for additional information.
THE RISK IT FRAMEWORK
ISACA
The Risk I T Framework provides a set of guiding principles and
supporting practices for enterprise management, combined to deliver
a comprehensive process model for governing and managing IT
risk. For users of COBI T and Val I T, this process model will look
familiar. Guidance is provided on the key activities within each
process, responsibilities for the process, information flows between
processes and performance management of each process. The model is
divided into three domains—Risk Governance, Risk Evaluation, Risk
Response—each containing three processes:
• Risk Governance
• Risk Evaluation
• Risk Response
2009, 104 pages. RITF
THE RISK IT PRACTITIONER GUIDE
ISACA
The Risk I T Practitioner Guide, a support document for the Risk
IT framework, provides examples of possible techniques to address
IT-related risk issues, and more detailed guidance on how to approach
the concepts covered in the process model.
Concepts and techniques explored in more detail include:
• Building enterprise-specific scenarios, based on a set of generic
I T risk scenarios
• Building a risk map, using techniques to describe the impact and
frequency of scenarios
• Building impact criteria with business relevance
• Defining key risk indicators (KRIs)
• Using COBIT and Val IT to mitigate risk; the link between risk and
COBI T control objectives and Val IT key management practices
2009, 134 pages. RITPG
a fuller description and understanding of IT assurance principles and
context should refer to the IT Assurance Guide: Using COBI T.
2010, 48 pages. VITAG
THE BUSINESS CASE GUIDE—USING VAL
IT 2.0
ISACA
The intention of this publication is to position the business case as a
valuable management tool—an operational tool—and to provide an
easy-to-follow guide, based on Val IT 2.0, to creating, maintaining and
using the business case. As such, this publication builds on and enhances
the earlier version of this guide, Enterprise Value: Governance of IT
Investments, The Business Case (2006). This new publication is now
fully aligned with Val IT 2.0, provides “how to do it” tips, maturity
models, examples and references to other materials for using and
implementing the business case processes as the powerful operational
tools they have the potential to be. 2010, 49 pages. VITB2
See www.isaca.org/valitbooks
for complete descriptions.
THE VAL IT FRAMEWORK 2.0
ISACA
This publication is the foundation document in the
Val I T series. It presents practices for three domains:
• Value Governance
• Portfolio Management
• Investment Management
Each of these domains is broken down into key management
processes and a number of key management practices.
This edition simplifies the management processes and practices, and
extends the Val I T Framework beyond new investments to include I T
services, assets and other resources. It also aligns terminology with
COBIT, and adds a management guidelines section, similar to COBI T,
which provides a greater level of detail on the Val IT processes, key
management practices and maturity models for each Val I T domain.
2008, 146 pages. VITF2
GETTING STARTED WITH VALUE MANAGEMENT
ISACA
This is a guide that outlines “how to implement” Val IT and
compliments the The Val IT Framework, which describes “what
you do.” Getting Started With Value Management is made up of six
chapters that flow in a logical sequence moving from typical starting
points, pain points or “trigger points” to specific approaches to address
these points.
It offers assessment templates and practical guidance on how to
use the new framework, along with recommended approaches to
addressing investment issues in organizations. It contains suggested
maturity models and approaches to maintaining and sustaining change.
2008, 44 pages. VITM
VALUE MANAGEMENT GUIDANCE
FOR ASSURANCE PROFESSIONALS—
USING VAL IT 2.0
ISACA
The objective of the newest publication to the Val I T family Value
Management Guidance for Assurance Professionals—Using
Val IT 2.0 is to provide guidance on how to use Val IT to support an
assurance review focused on the governance of IT-enabled business
investments for each of the three Val IT domains—Value Governance,
Portfolio Management and Investment Management. This guide
is based on the IT Assurance Guide Using COBI T which provides
comprehensive guidance on planning and performing a wide range of
IT related assurance activities. This guide is focused on an assurance
review of IT value management based on and aligned with the Val I T
2.0 Framework—the governance of IT related business investments.
Readers should be familiar with Val I T 2.0. Readers wishing to obtain
See www.isaca.org/essentialsbooks
for complete descriptions and additional essential titles.
ACCESS CONTROL, SECURITY, AND
TRUST: A LOGICAL APPROACH
Shiu-Kai Chin and Susan Beth Older
Access Control, Security, and Trust: A Logical Approach equips
readers with an access control logic that they can use to specify and
verify their security designs. Throughout the text, the authors use a
single access control logic based on a simple propositional modal
logic. The first part of the book presents the syntax and semantics of
access control logic, basic access control concepts, and an introduction
to confidentiality and integrity policies. The second section covers
access control in networks, delegation, protocols and the use of
cryptography. In the third section, the authors focus on hardware and
virtual machines. The final part discusses confidentiality, integrity
and role-based access control. Taking a logical, rigorous approach
to access control, this book shows how logic is a useful tool for
analyzing security designs and spelling out the conditions upon which
access control decisions depend. 2010, 351 pages. 48-CRC
IT AUDITING USING CONTROLS TO
PROTECT INFORMATION ASSETS,
2ND EDITION
Chris Davis, Mike Schiller, Kevin Wheeler
Filled with solid techniques, checklists, forms, coverage of
leading-edge tools and systematic procedures for common IT audits,
IT Auditing, 2nd Edition covers real-life scenarios and fosters the skills
necessary for auditing complex IT systems. Fully updated to cover
new technology including cloud computing, virtualization and storage,
the book provides guidance on creating an effective and value-added
internal IT audit function. Information is presented in easy-to-follow
sections, allowing you to quickly grasp critical and practical techniques.
This edition contains updated tools and checklists, as well as
discussions of key concepts and methods for their effective use. This
definitive guide offers a unique combination of how-to information
on IT auditing for new auditors and cutting-edge audit techniques for
experienced professionals. 2011, 512 pages. 15-MIT2
ITAF: A PROFESSIONAL PRACTICES
FRAMEWORK FOR IT ASSURANCE
ISACA
I TAF: A Professional Practices Framework for
I T Assurance consists of compliance and good practice setting
guidance. The IT Assurance Framework™ (I TAF™):
• Provides direction on the design, conduct and reporting of
IT audit and assurance assignments
• Defines terms and concepts specific to IT assurance
• Establishes standards that address IT audit and assurance
professional roles and responsibilities, knowledge, skills and
diligence, conduct, and reporting requirements
I TAF provides a single source through which IT audit and assurance
professionals can seek guidance, research policies and procedures,
obtain audit and assurance programs, and develop effective reports.
2008, 71 pages. WITAF
IT SECURITY METRICS: A PRACTICAL
FRAMEWORK FOR MEASURING
SECURITY
& PROTECTING DATA
Lance Hayden
I T Security Metrics provides a comprehensive approach to measuring
risks, threats, operational activities and the effectiveness of data
protection in your organization. The book explains how to choose
and design effective measurement strategies and addresses the data
requirements of those strategies. The Security Process Management
Framework is introduced and analytical strategies for security metrics
data are discussed. Readers are shown how to take a security metrics
program and adapt it to a variety of organizational contexts to achieve
continuous security improvement over time. Real-world examples of
security measurement projects are included in this definitive guide.
2010, 396 pages. 22-MSM
ISACA member complimentary PDF www.isaca.org/downloads
IT STRATEGIC AND OPERATIONAL
CONTROLS
John Kyriazoglou
Nowadays, integrated information systems can significantly magnify
the accrued benefits of a given project and greatly strengthen an
organization, but such benefits are balanced by a serious risk. If IT
systems are not used in a disciplined manner, they can create havoc
and frequently bring about unexpected results and catastrophe, as
shown by the rise in security incidents and computer-based crimes.
Written with practicality and convenience in mind, this book is an
ideal tool for those without specialized technical expertise who are
seeking to understand IT controls and their design, implementation,
monitoring, review and audit issues. This book provides a
comprehensive guide to implementing an integrated and flexible
set of IT controls in a systematic way. It can help organizations to
formulate a complete culture for all areas that must be supervised and
controlled—allowing them to simultaneously ensure a secure, high
standard whilst striving to obtain the strategic and operational goals of
the company. 2010, 686 pages. 6-ITSOC
A NEW AUDITOR’S GUIDE TO
PLANNING, PERFORMING, AND
PRESENTING IT AUDITS
Nelson Gibbs, Divakar Jain, Amitesh Joshi, Surekha Muddamsetti,
Sarabjot Singh
Information technology is a highly dynamic, rapidly changing
environment. I T auditors are expected to stay current with the latest
tools, technologies, and trends, and may need to do additional research
to prepare for specific audits. This book is designed to help aspiring
and active internal auditors take a step back and understand the
general process and activities involved in conducting an audit around
technology.
This book uses a simplified four-layer technology model of networks,
operating systems, databases, and applications. It provides easily
understandable concepts of the technology environment that can be
applied in most organizations with little modification.
2010, 225 pages. 1-II
SAP SECURITY AND RISK
MANAGEMENT, 2ND EDITION
Mario Linkies and Horst Karin
The revised and expanded second edition of this best-selling book
describes all requirements, basic principles and best practices of
security for an SAP system. Readers will learn how to protect each
SAP component internally and externally while also complying with
legal requirements. Furthermore, the book describes how to master
the interaction of these requirements to provide a holistic security and
risk management solution. Using numerous examples and step-by-step instructions, this book teaches the reader the technical details of
implementing security in SAP Net Weaver. 2010, 726 pages. 2-SAPP
See www.isaca.org/specificbooks
for complete descriptions and additional
specific environment titles.
FRAUD AUDITING AND FORENSIC
ACCOUNTING, 4TH EDITION
Tommie W. Singleton, Aaron J. Singleton
With the responsibility of detecting and preventing fraud falling
heavily on the accounting profession, every accountant needs to
recognize fraud and learn the tools and strategies necessary to catch it
in time. Providing valuable information to those responsible for dealing
with prevention and discovery of financial deception, Fraud Auditing
and Forensic Accounting, 4th Edition helps accountants develop an
investigative eye toward both internal and external fraud and provides
tips for coping with fraud when it is found to have occurred.
This book includes step-by-step keys to fraud investigation and the
most current methods for dealing with financial fraud within the
organization. Written by recognized experts in the field of white-collar
crime, this fourth edition provides readers, whether beginning forensic
accountants or experienced investigators, with industry-tested methods
for detecting, investigating and preventing financial schemes.
2010, 317 pages. 88- WFA
IDENTITY MANAGEMENT: CONCEPTS,
TECHNOLOGIES, AND SYSTEMS
Elisa Bertino, Kenji Takahashi
Digital identity can be defined as the digital representation of the
information known about a specific individual or organization.
Digital identity management technology is an essential function in
customizing and enhancing the network user experience, protecting
privacy, underpinning accountability in transactions and interactions,
and complying with regulatory controls. This practical resource offers
readers an in-depth understanding of how to design, deploy and assess
identity management solutions. It provides a comprehensive overview
of current trends and future directions in identity management,
including best practices, the standardization landscape and the latest
research finding. Additionally, readers are given a clear explanation of
fundamental notions and techniques that cover the entire identity life
cycle. 2011, 194 pages. 10-ART
