A career as Information Sys

8/7/2019 A career as Information Sys..

1/4

Printer Friendly VersionWEB LINK - http://www.networkmagazineindia.com/200312/securedview01.shtml

Secured View: Security Certification

A career as Information Systems Auditor

The roles of IS Auditor and Information Security Auditor are becoming verysignificant. So CISA certification definitely opens up doors to many

opportunities. byAvinash Kadam

We are familiar with the term auditing, which is usually associated with

financial auditing. We also come across terms like quality audit, management

audit, environment audit and now, Information Systems Audit. So, who can be

an IS Auditor? To quote from the famous book, Information Systems Control

and Audit by Ron Weber: "To be a good auditor, you have to be better at business than your

client." Further, the purpose of information systems audit is to evaluate whether

computer-based information systems fulfill the following aims:

Safeguard assetsMaintain data integrity

Achieve organizational objectives effectively

Consume resources efficiently

So, the expectations from an information systems auditor are rather high. The IS auditor

should know what the business expects from information systems, what are the best IT

practices, and whether the information systems of an organization realize these expectations

and best practices. Since all businesses are now heavily dependent on information systems,

management wants assurance from independent experts. A Certified Information Systems

Auditor or CISA is an independent expert who is qualified to perform information systems

audit. This has uplifted the status of the CISA designation, which is often a mandatory

qualification for an information systems auditor.

Information Systems Audit and Control Association (ISACA) is a world recognized body, that

was founded in 1969. The CISA examination and certification was initiated in 1978, to address

industry requirements. Today, there are more than 30,000 CISAs worldwide.

The examination is conducted in

1 languages at 200 locations. The 2003 CISA examination had more than

1,900 candidates.

ISACA has ensured that the CISA syllabus meets the industry expectations. The syllabus is

periodically enhanced to reflect the current trends in information technology. The current

syllabus expects one to know the following domains.

(Figures in brackets are the weightage given to each domain in the examination paper.).

1. Management, Planning, and Organization of IS (11%)

This domain describes the best IS management practices. Unlike CISSP, this domain does not

restrict itself to only Information Security, but covers all aspects of information systems. To

begin with, it defines the entire organizational structure of the Information Systems

department, from Chief Information Officer to tape librarian, or data-entry operator. In the

current scenario of downsizing and outsourcing, we may not find all the classical job

definitions and practices in the organization, but we need to understand the best practices for

managing the IS department, planning its activities and having an appropriate management

structure in place.

2. Technical Infrastructure and Operational Practices (13%)

areer as Information Systems Auditor - Secured View - Network Ma... http://www.networkmagazineindia.com/cgi-bin/ecprint/MasterPFP.cgi...

4 7/27/2010 5:33 AM


2/4

This domain covers all the technologies pertaining to hardware, software and networking. So,

you have to study the types of databases, the TCP/IP protocols, telecommunications, the LAN

and also various operational practices and how to audit these, along with the infrastructure.

Understanding the technology is important to evaluate whether the implementation has been

done appropriately.

3. Protection of Information Assets (25%)

This domain focuses on information security management. You have to study various

vulnerabilities of the infrastructure as well as the security technologies that would protect

these. These include logical access controls, networking access controls like firewalls, intrusion

detection, encryption and environmental and physical exposure and controls.

4. Disaster Recovery and Business Continuity (10%)

Business continuity has become a major focus area as the availability of information systems

has become critical to business. This domain requires a good understanding of the business

continuity/disaster recovery planning process, which includes business impact analysis,

recovery strategies, developing, implementing, testing and updating the plans, and how the

plan should be audited.

5. Business Application System Development, Acquisition, Implementation, and Maintenance

(16%)

This domain focuses on the core area of information systems development. You have to learn

the traditional system development lifecycle, also the modern development strategies like

object-oriented system development, component-based and Web-based system development;

understand the information system management practices, project management practices,

tools, process improvement models, and the auditing of the entire system development

process.

6. Business Process Evaluation and Risk Management (15%)

This module links the business expectations and the risks, to the development and

deployment of information systems. Areas like Business Process Reengineering, Risk

Management, IT governance, application controls, various business application systems like

e-Commerce, EDI, Artificial Intelligence, data warehouse, Decision Support Systems are

covered here.

7. The IS Audit Process (10%)

This module familiarizes us with ISACA's code of ethics, auditing standards, guidelines, as well

as audit methodology, Computer Assisted Audit techniques and Control Self-Assessment.

In the last article on CISSP, I compared the CISSP domains with BS7799 domains. I have

done a similar exercise of comparing the CISA domains with BS7799 domains in the table.

So you will find that there is a good amount of overlap in the knowledge areas. CISA is

focused on overall information systems, and so, security is one of the components handled in

domains 2, 3 and 4which is about 48% of the total syllabus. Domain 1 of CISA indirectly

covers the requirements for Domain 1 of BS7799. The remaining 52% of CISA is devoted to

areas like IS Management, IS Audit, Business Process Evaluation & Risk Management;

Business Application Development; Acquisition & Maintenancewhich do not directly relate to

security, but are focused on effectiveness and efficiency of information system implementation

in business, and indirectly refer to security implications.

This is one reason why many professionals acquire both certifications: CISA as well as CISSP.

After all, if you have completed CISA successfully, you have covered a lot of material forCISSP. It may not be to the same depth of technical knowledge as expected for CISSP, but

you would be able to easily build on this base. Similarly, if you have done CISSP first, you

would have already covered half the CISA material, and need to concentrate on the new areas


4 7/27/2010 5:33 AM


3/4

of Business Application, Management and IS Audit.

I would personally recommend both certifications to get an all round exposure of Information

Management as well as Information Security Management.

How to become a CISA

ISACA has stipulated the following guidelines for getting the CISA designation. Remember,

passing the examination is just the first step.

1. Successful completion of the CISA examination.

The examination is conducted once a year on the second Saturday of June. So the next

examination is scheduled for 12th June 2004. The examination consists of 200 multiple choice

questions to be answered within four hours. The passing score is 75 percent, which means

that if you pass the exam, you have scored marks, which put you in the top 25%.

2. Information systems auditing, control or security experience.

You need to have five years of IS audit experience, with waivers of up to two years given,

based on auditing experience, graduate degree or teaching experience in a related field. This

experience could even be gained after passing the examination.

3. Adherence to the Code of Professional Ethics.

ISACA has formulated the Code of Professional Ethics. You must read and abide by the same.

4. Adherence to the continuing professional education program.

You have to ensure that you are keeping your knowledge up-to-date by clocking 120 hours in

three years in acquiring the knowledge by means of attending lectures, giving lectures or

doing work for the ISACA local chapter.

5. Compliance with the Information Systems Auditing Standards.

You have to adhere to the IS Audit Standards as promulgated by ISACA.

Apart from these, you have also to pay various fees like membership fees, certification fees,

local chapter fees and the examination fees. All these details are available on the website,

www.isaca.org.

How to prepare for the examination

Each year ISACA publishes a CISA Review Manual. This is a must buy as it reflects the

complete syllabus for the CISA examination. This is not a textbook but a review manual, as

such it helps you to review all the topics. If you are not familiar with some areas, good

textbooks like Information Systems Control and Audit by Ron Webercan really help. Another

good book is Computer Networks by Tannenbaum. ISACA has a number of white papers and

articles available for its members on the website.

CISA Study Circle

ISACA has nine local chapters in India. Each chapter conducts a CISA study circle. Volunteers

of the local chapters, who like to share knowledge with aspiring CISAs, conduct these study

circles. You will be able to get the chapter contact details from the ISACA website. One of the

greatest advantages of these study circles is meeting other aspirants and forming smaller

study groups. Candidates from different backgrounds appear for the examination. The study

group members compliment each other's strength. This model has worked very well.

The study circle's classes usually start in November and continue till the end of April, and areconducted either in the evenings or weekends, depending on the convenience of most of the

participants. The local chapters also conduct short duration crash courses for those who

cannot attend a full duration study circle.


4 7/27/2010 5:33 AM


4/4

Question Banks

Unlike CISSP, there are not many books with question banks. Joining the study circle gives

you access to some question banks compiled by past students. Also, the study circles conduct

mock tests based on previous questions banks from the old review manuals. These could be

used for practice, but the difficulty level of the actual examination will be higher than these

questions.

Time frame

If you start serious studies from November and regularly assess your preparation by solving

various question banks or taking up the mock tests at the study circle, you should be well

prepared to appear for the June examination. You have to make a decision by 4th February to

get an early bird discount.

Opportunities

The fact that a requisite CISA qualification is mentioned in advertisements for IS Auditors is

proof enough of its acceptability in the industry. With increasing emphasis by Government to

have periodic IS audits, and the industry opting for security certifications like BS7799, the

roles of IS auditor, as well as Information Security Auditor are becoming very important.

CISA certification definitely opens up doors to many opportunities.


4 7/27/2010 5:33 AM

Documents

A career as Information Sys