Upload
subramanyan-neelakandan
View
213
Download
0
Embed Size (px)
Citation preview
8/7/2019 A career as Information Sys..
1/4
Printer Friendly VersionWEB LINK - http://www.networkmagazineindia.com/200312/securedview01.shtml
Secured View: Security Certification
A career as Information Systems Auditor
The roles of IS Auditor and Information Security Auditor are becoming verysignificant. So CISA certification definitely opens up doors to many
opportunities. byAvinash Kadam
We are familiar with the term auditing, which is usually associated with
financial auditing. We also come across terms like quality audit, management
audit, environment audit and now, Information Systems Audit. So, who can be
an IS Auditor? To quote from the famous book, Information Systems Control
and Audit by Ron Weber: "To be a good auditor, you have to be better at business than your
client." Further, the purpose of information systems audit is to evaluate whether
computer-based information systems fulfill the following aims:
Safeguard assetsMaintain data integrity
Achieve organizational objectives effectively
Consume resources efficiently
So, the expectations from an information systems auditor are rather high. The IS auditor
should know what the business expects from information systems, what are the best IT
practices, and whether the information systems of an organization realize these expectations
and best practices. Since all businesses are now heavily dependent on information systems,
management wants assurance from independent experts. A Certified Information Systems
Auditor or CISA is an independent expert who is qualified to perform information systems
audit. This has uplifted the status of the CISA designation, which is often a mandatory
qualification for an information systems auditor.
Information Systems Audit and Control Association (ISACA) is a world recognized body, that
was founded in 1969. The CISA examination and certification was initiated in 1978, to address
industry requirements. Today, there are more than 30,000 CISAs worldwide.
The examination is conducted in
1 languages at 200 locations. The 2003 CISA examination had more than
1,900 candidates.
ISACA has ensured that the CISA syllabus meets the industry expectations. The syllabus is
periodically enhanced to reflect the current trends in information technology. The current
syllabus expects one to know the following domains.
(Figures in brackets are the weightage given to each domain in the examination paper.).
1. Management, Planning, and Organization of IS (11%)
This domain describes the best IS management practices. Unlike CISSP, this domain does not
restrict itself to only Information Security, but covers all aspects of information systems. To
begin with, it defines the entire organizational structure of the Information Systems
department, from Chief Information Officer to tape librarian, or data-entry operator. In the
current scenario of downsizing and outsourcing, we may not find all the classical job
definitions and practices in the organization, but we need to understand the best practices for
managing the IS department, planning its activities and having an appropriate management
structure in place.
2. Technical Infrastructure and Operational Practices (13%)
areer as Information Systems Auditor - Secured View - Network Ma... http://www.networkmagazineindia.com/cgi-bin/ecprint/MasterPFP.cgi...
4 7/27/2010 5:33 AM
8/7/2019 A career as Information Sys..
2/4
This domain covers all the technologies pertaining to hardware, software and networking. So,
you have to study the types of databases, the TCP/IP protocols, telecommunications, the LAN
and also various operational practices and how to audit these, along with the infrastructure.
Understanding the technology is important to evaluate whether the implementation has been
done appropriately.
3. Protection of Information Assets (25%)
This domain focuses on information security management. You have to study various
vulnerabilities of the infrastructure as well as the security technologies that would protect
these. These include logical access controls, networking access controls like firewalls, intrusion
detection, encryption and environmental and physical exposure and controls.
4. Disaster Recovery and Business Continuity (10%)
Business continuity has become a major focus area as the availability of information systems
has become critical to business. This domain requires a good understanding of the business
continuity/disaster recovery planning process, which includes business impact analysis,
recovery strategies, developing, implementing, testing and updating the plans, and how the
plan should be audited.
5. Business Application System Development, Acquisition, Implementation, and Maintenance
(16%)
This domain focuses on the core area of information systems development. You have to learn
the traditional system development lifecycle, also the modern development strategies like
object-oriented system development, component-based and Web-based system development;
understand the information system management practices, project management practices,
tools, process improvement models, and the auditing of the entire system development
process.
6. Business Process Evaluation and Risk Management (15%)
This module links the business expectations and the risks, to the development and
deployment of information systems. Areas like Business Process Reengineering, Risk
Management, IT governance, application controls, various business application systems like
e-Commerce, EDI, Artificial Intelligence, data warehouse, Decision Support Systems are
covered here.
7. The IS Audit Process (10%)
This module familiarizes us with ISACA's code of ethics, auditing standards, guidelines, as well
as audit methodology, Computer Assisted Audit techniques and Control Self-Assessment.
In the last article on CISSP, I compared the CISSP domains with BS7799 domains. I have
done a similar exercise of comparing the CISA domains with BS7799 domains in the table.
So you will find that there is a good amount of overlap in the knowledge areas. CISA is
focused on overall information systems, and so, security is one of the components handled in
domains 2, 3 and 4which is about 48% of the total syllabus. Domain 1 of CISA indirectly
covers the requirements for Domain 1 of BS7799. The remaining 52% of CISA is devoted to
areas like IS Management, IS Audit, Business Process Evaluation & Risk Management;
Business Application Development; Acquisition & Maintenancewhich do not directly relate to
security, but are focused on effectiveness and efficiency of information system implementation
in business, and indirectly refer to security implications.
This is one reason why many professionals acquire both certifications: CISA as well as CISSP.
After all, if you have completed CISA successfully, you have covered a lot of material forCISSP. It may not be to the same depth of technical knowledge as expected for CISSP, but
you would be able to easily build on this base. Similarly, if you have done CISSP first, you
would have already covered half the CISA material, and need to concentrate on the new areas
areer as Information Systems Auditor - Secured View - Network Ma... http://www.networkmagazineindia.com/cgi-bin/ecprint/MasterPFP.cgi...
4 7/27/2010 5:33 AM
8/7/2019 A career as Information Sys..
3/4
of Business Application, Management and IS Audit.
I would personally recommend both certifications to get an all round exposure of Information
Management as well as Information Security Management.
How to become a CISA
ISACA has stipulated the following guidelines for getting the CISA designation. Remember,
passing the examination is just the first step.
1. Successful completion of the CISA examination.
The examination is conducted once a year on the second Saturday of June. So the next
examination is scheduled for 12th June 2004. The examination consists of 200 multiple choice
questions to be answered within four hours. The passing score is 75 percent, which means
that if you pass the exam, you have scored marks, which put you in the top 25%.
2. Information systems auditing, control or security experience.
You need to have five years of IS audit experience, with waivers of up to two years given,
based on auditing experience, graduate degree or teaching experience in a related field. This
experience could even be gained after passing the examination.
3. Adherence to the Code of Professional Ethics.
ISACA has formulated the Code of Professional Ethics. You must read and abide by the same.
4. Adherence to the continuing professional education program.
You have to ensure that you are keeping your knowledge up-to-date by clocking 120 hours in
three years in acquiring the knowledge by means of attending lectures, giving lectures or
doing work for the ISACA local chapter.
5. Compliance with the Information Systems Auditing Standards.
You have to adhere to the IS Audit Standards as promulgated by ISACA.
Apart from these, you have also to pay various fees like membership fees, certification fees,
local chapter fees and the examination fees. All these details are available on the website,
www.isaca.org.
How to prepare for the examination
Each year ISACA publishes a CISA Review Manual. This is a must buy as it reflects the
complete syllabus for the CISA examination. This is not a textbook but a review manual, as
such it helps you to review all the topics. If you are not familiar with some areas, good
textbooks like Information Systems Control and Audit by Ron Webercan really help. Another
good book is Computer Networks by Tannenbaum. ISACA has a number of white papers and
articles available for its members on the website.
CISA Study Circle
ISACA has nine local chapters in India. Each chapter conducts a CISA study circle. Volunteers
of the local chapters, who like to share knowledge with aspiring CISAs, conduct these study
circles. You will be able to get the chapter contact details from the ISACA website. One of the
greatest advantages of these study circles is meeting other aspirants and forming smaller
study groups. Candidates from different backgrounds appear for the examination. The study
group members compliment each other's strength. This model has worked very well.
The study circle's classes usually start in November and continue till the end of April, and areconducted either in the evenings or weekends, depending on the convenience of most of the
participants. The local chapters also conduct short duration crash courses for those who
cannot attend a full duration study circle.
areer as Information Systems Auditor - Secured View - Network Ma... http://www.networkmagazineindia.com/cgi-bin/ecprint/MasterPFP.cgi...
4 7/27/2010 5:33 AM
8/7/2019 A career as Information Sys..
4/4
Question Banks
Unlike CISSP, there are not many books with question banks. Joining the study circle gives
you access to some question banks compiled by past students. Also, the study circles conduct
mock tests based on previous questions banks from the old review manuals. These could be
used for practice, but the difficulty level of the actual examination will be higher than these
questions.
Time frame
If you start serious studies from November and regularly assess your preparation by solving
various question banks or taking up the mock tests at the study circle, you should be well
prepared to appear for the June examination. You have to make a decision by 4th February to
get an early bird discount.
Opportunities
The fact that a requisite CISA qualification is mentioned in advertisements for IS Auditors is
proof enough of its acceptability in the industry. With increasing emphasis by Government to
have periodic IS audits, and the industry opting for security certifications like BS7799, the
roles of IS auditor, as well as Information Security Auditor are becoming very important.
CISA certification definitely opens up doors to many opportunities.
areer as Information Systems Auditor - Secured View - Network Ma... http://www.networkmagazineindia.com/cgi-bin/ecprint/MasterPFP.cgi...
4 7/27/2010 5:33 AM