ISACA Ireland Webcram - Sean Hanna

ISACA WebcramCISA & CISM

Sean Hanna

Sean HannaGRC & Cyber Warfare Consultant

EC-Council Global Security Trainer of the Year 2007, 2008, 2010 and again in 2011

EC Council Circle of Excellence Member 2012

LPT, ECSA, CEH, CHFI, NSAGCIH, GCIA, GSEC, CISSPCISM, CISA, CGEIT, PRINCE2

Let Start !

CISA & CISM

• These are NOT that different !• They are two sides of the one coin.

• CISM– Is the IS Department Manager– Implements & Manages IS/IT GRC

• CISA– Provides the Assurance function on IS/IT GRC– Understands and Measures

The EXAMs

• You need to understand that both exams require the SAME basic knowledge:– Governance– Risk– Compliance– COBIT– ITAF– Business Management Tools & Technique– Controls

The Difference

• Once you know the common basics…

• Then and only then…

• You can move on to the unique requirements of each exam!

Information Security Governance

Governance

• What is Governance?

• Where does it comes from?

• Who owns it?

Risk

• What is Risk?


• Who owns it?

Compliance

• What is Compliance?


• Who owns it?

Governance, Risk and Compliance

• GRC make up the responsibilities of the SMT

• It is the duty of SMT to understand GRC within their environment

Information Security GRC

• Is but one form of GRC

• No more important…

• No less important

• Considers the Data, Data Systems and Data Infrastructure

• And everything that might impact DS&I

SMT’s Role

• To ensure the success of the business by

– Understanding the business requirements

– Understanding the business goals

– Understanding the business risks

• Provide the strategy and direction• Provide the sponsorship and budget• Provide the oversight and control

SMT owns all GRC

SMT owns IS GRC

A MODEL FOR OWNERSHIP

How does SMT own GRC?

SMT


SMT

Policy


SMT

Policy


SMT

Policy


SMT

Policy

Standards


SMT

Policy

Standards


SMT

Policy

Standards


SMT

Policy

Standards

Guidelines


SMT

Policy

Standards

Guidelines


SMT

Policy

Standards

Guidelines


SMT

Policy

Standards

Guidelines

Procedures


SMT

Policy

Standards

Guidelines

Procedures


SMT

Policy

Standards

Guidelines

Procedures

HOW DO YOU WIN?

How do you win?

• To succeed you must know what success looks like

• To succeed you must measure success

• To succeed you must verify your measures

How does SMT manage RISK?

SMT

SMT

Controls


SMT

Controls


SMT

Controls

Audits


SMT

Controls

Audits


SMT

Controls

Audits

Dashboards


SMT

Controls

Audits

Dashboards


SMT

Controls

Audits

Dashboards

Assurance


SMT

Controls

Audits

Dashboards

Assurance


SMT BPR

Re-engineering how SMT functions

• COBIT provides many tools

• It suggests a simple but effective structure

Structure

SMT

IS Steering IS Committee

Programme Management

IT Department Functional Business Units

Audit Function

CISA

Audit

CISA

• CISA is all about audit:– General audit principles– Using a Governance model for business management– Managing project risk during development and acquisition– Managing operational risk during operation life cycle– Understand the vast array of controls

CISA

• Audit is all about assurance• Delivering a repeatable, trusted service• The Auditor must be:

– Independent– Trustworthy– Subject matter expert on processes

The CISA Answer Rules

• Evidence is the bases of all audit results

• Everything should be based on risk principles

• The Business always wins

• Every process needs to be verified

• CSA and GAS help with reducing workload

The CISA Specials

• You really need to know the tools of the trade– Sampling techniques– Measuring techniques– Reporting techniques

• Technical details on Controls do come up:– Software development methods– Software testing methods– Audit controls

CISM

Management

CISM

• CISM is all about Management:– Setting up and running a department– Using a Governance model for business management– Managing project risk during development and acquisition– Managing operational risk during operation life cycle– BCP, BIA and DRP– Understanding the vast array of controls

CISM

• Management is about translating business requirements into measureable results while managing risk in cost-effective way

• Delivering a repeatable, trusted service• The Manager must be:

– A Business leader– A subject matter expert– Under the whole business and its goals and objectives– Be able to influence and deliver results

The CISM Answer Rules

• Strategy is at the heart of a governance led business

• Everything should be based on risk principles

• The Business always wins

• Don’t do anything unless it can be measured

• Your success is all about the audit report

The CISM Specials

• You really need to know the tools of the trade– Measuring techniques– Reporting techniques

• Technical details on Controls do come up:– Virtually any Control can, and come up !

The Exam Day

The Exam Day

• Doors close at 08:30, make sure you’re in!• You must have government issued, photographic ID• Don’t take much in to the room with you• Wear a jacket/fleece, something you can off and hang on the back

of your seat• Drink plenty of water before the start• Make sure to take a restroom break

How to answer the questions

• Start at the start• Work your way through• Get to the end• Walk out !

• There’s no magic method that will help!

One step at a time

• Take each question as it comes• Don’t try to pick the right answer• Eliminate the 2 wrong answers first• Re-read the question and the 2 answers• Use the basics prinicpals to help you choose• Pick, move on and…• What ever you do, don’t think back!• Always move forward.

At the end of the exam

• You will be leaving early• Its not really a 4 hour exam• Be prepared to not know how you’ve done• Whatever you do, don’t check your answers!!

• When you’re finished, leave

How to pass

1.UNDERSTAND2.LEARN3.PRACTICE

Thank Youand good luck!

Documents

ISACA Ireland Webcram - Sean Hanna