Upload
duongthuy
View
217
Download
0
Embed Size (px)
Citation preview
ISACA WebcramCISA & CISM
Sean Hanna
Sean HannaGRC & Cyber Warfare Consultant
EC-Council Global Security Trainer of the Year 2007, 2008, 2010 and again in 2011
EC Council Circle of Excellence Member 2012
LPT, ECSA, CEH, CHFI, NSAGCIH, GCIA, GSEC, CISSPCISM, CISA, CGEIT, PRINCE2
Let Start !
CISA & CISM
• These are NOT that different !• They are two sides of the one coin.
• CISM– Is the IS Department Manager– Implements & Manages IS/IT GRC
• CISA– Provides the Assurance function on IS/IT GRC– Understands and Measures
The EXAMs
• You need to understand that both exams require the SAME basic knowledge:– Governance– Risk– Compliance– COBIT– ITAF– Business Management Tools & Technique– Controls
The Difference
• Once you know the common basics…
• Then and only then…
• You can move on to the unique requirements of each exam!
Information Security Governance
Governance
• What is Governance?
• Where does it comes from?
• Who owns it?
Risk
• What is Risk?
• Where does it comes from?
• Who owns it?
Compliance
• What is Compliance?
• Where does it comes from?
• Who owns it?
Governance, Risk and Compliance
• GRC make up the responsibilities of the SMT
• It is the duty of SMT to understand GRC within their environment
Information Security GRC
• Is but one form of GRC
• No more important…
• No less important
• Considers the Data, Data Systems and Data Infrastructure
• And everything that might impact DS&I
SMT’s Role
• To ensure the success of the business by
– Understanding the business requirements
– Understanding the business goals
– Understanding the business risks
• Provide the strategy and direction• Provide the sponsorship and budget• Provide the oversight and control
SMT owns all GRC
SMT owns IS GRC
A MODEL FOR OWNERSHIP
How does SMT own GRC?
SMT
How does SMT own GRC?
SMT
Policy
How does SMT own GRC?
SMT
Policy
How does SMT own GRC?
SMT
Policy
How does SMT own GRC?
SMT
Policy
Standards
How does SMT own GRC?
SMT
Policy
Standards
How does SMT own GRC?
SMT
Policy
Standards
How does SMT own GRC?
SMT
Policy
Standards
Guidelines
How does SMT own GRC?
SMT
Policy
Standards
Guidelines
How does SMT own GRC?
SMT
Policy
Standards
Guidelines
How does SMT own GRC?
SMT
Policy
Standards
Guidelines
Procedures
How does SMT own GRC?
SMT
Policy
Standards
Guidelines
Procedures
How does SMT own GRC?
SMT
Policy
Standards
Guidelines
Procedures
HOW DO YOU WIN?
How do you win?
• To succeed you must know what success looks like
• To succeed you must measure success
• To succeed you must verify your measures
How does SMT manage RISK?
SMT
SMT
Controls
How does SMT manage RISK?
SMT
Controls
How does SMT manage RISK?
SMT
Controls
Audits
How does SMT manage RISK?
SMT
Controls
Audits
How does SMT manage RISK?
SMT
Controls
Audits
Dashboards
How does SMT manage RISK?
SMT
Controls
Audits
Dashboards
How does SMT manage RISK?
SMT
Controls
Audits
Dashboards
Assurance
How does SMT manage RISK?
SMT
Controls
Audits
Dashboards
Assurance
How does SMT manage RISK?
SMT BPR
Re-engineering how SMT functions
• COBIT provides many tools
• It suggests a simple but effective structure
Structure
SMT
IS Steering IS Committee
Programme Management
IT Department Functional Business Units
Audit Function
CISA
Audit
CISA
• CISA is all about audit:– General audit principles– Using a Governance model for business management– Managing project risk during development and acquisition– Managing operational risk during operation life cycle– Understand the vast array of controls
CISA
• Audit is all about assurance• Delivering a repeatable, trusted service• The Auditor must be:
– Independent– Trustworthy– Subject matter expert on processes
The CISA Answer Rules
• Evidence is the bases of all audit results
• Everything should be based on risk principles
• The Business always wins
• Every process needs to be verified
• CSA and GAS help with reducing workload
The CISA Specials
• You really need to know the tools of the trade– Sampling techniques– Measuring techniques– Reporting techniques
• Technical details on Controls do come up:– Software development methods– Software testing methods– Audit controls
CISM
Management
CISM
• CISM is all about Management:– Setting up and running a department– Using a Governance model for business management– Managing project risk during development and acquisition– Managing operational risk during operation life cycle– BCP, BIA and DRP– Understanding the vast array of controls
CISM
• Management is about translating business requirements into measureable results while managing risk in cost-effective way
• Delivering a repeatable, trusted service• The Manager must be:
– A Business leader– A subject matter expert– Under the whole business and its goals and objectives– Be able to influence and deliver results
The CISM Answer Rules
• Strategy is at the heart of a governance led business
• Everything should be based on risk principles
• The Business always wins
• Don’t do anything unless it can be measured
• Your success is all about the audit report
The CISM Specials
• You really need to know the tools of the trade– Measuring techniques– Reporting techniques
• Technical details on Controls do come up:– Virtually any Control can, and come up !
The Exam Day
The Exam Day
• Doors close at 08:30, make sure you’re in!• You must have government issued, photographic ID• Don’t take much in to the room with you• Wear a jacket/fleece, something you can off and hang on the back
of your seat• Drink plenty of water before the start• Make sure to take a restroom break
How to answer the questions
• Start at the start• Work your way through• Get to the end• Walk out !
• There’s no magic method that will help!
One step at a time
• Take each question as it comes• Don’t try to pick the right answer• Eliminate the 2 wrong answers first• Re-read the question and the 2 answers• Use the basics prinicpals to help you choose• Pick, move on and…• What ever you do, don’t think back!• Always move forward.
At the end of the exam
• You will be leaving early• Its not really a 4 hour exam• Be prepared to not know how you’ve done• Whatever you do, don’t check your answers!!
• When you’re finished, leave
How to pass
1.UNDERSTAND2.LEARN3.PRACTICE
Thank Youand good luck!