140 likes | 283 Views
Certified Information Systems Auditor (CISA) Overview. Presented By Gary R. Austin, CISA, CISSP to the Federal Information Systems Security Educators’ Association NIST Conference - March 15, 2001. CISA Program. Established in 1978 by the Information Systems Audit and Control Association
E N D
Certified Information Systems Auditor (CISA) Overview Presented By Gary R. Austin, CISA, CISSP to the Federal Information Systems Security Educators’ AssociationNIST Conference - March 15, 2001
CISA Program • Established in 1978 by the Information Systems Audit and Control Association • A benchmark performance measure to evaluate an individual’s competency in conducting IS audits. • Organisational criteria for personnel selection, development, & promotion. • Globally recognized as the defacto standard for certifying information systems auditing professionals • Over 150 exam locations worldwide. • Over 24,000 professionals certified worldwide
CISA Program Requirements • Pass an examination in testing a candidates knowledge of IS auditing issues. • Comply with annual requirements for continuing education. • Acquire 5 years of professional experience with the following waivers: • One year of general auditing or information systems experience • One year for an Associates degree (or 60 college semester hours). • Two years for a bachelors degree or 120 college semester hours • One year for two years as a university instructor in a related field.
CISA Historical Perspective • Certification program devoted exclusively to the field of IT audit, control, and security. • Developed by accounting and auditing professionals • Promulgates generally accepted standards and guidelines to ensure that the organization’s information technology and business systems are adequately controlled, monitored, and assessed. • Audit and control issues derived from a mainframe-centric view of business environments.
CISA Common Body of Knowledge (CBK) • • The Information Systems Audit Process • Management, Planning And Organization of Information Systems • Technical Infrastructure And Operational Practices • Protection of Information Assets • Disaster Recovery And Business Continuity • Business Application Development, Acquisition, Implementation, And Maintenance • Business Process Evaluation And Risk Management
Coverage of Information System Security Issues • Enterprise-wide security organizational and policy issues • Logical Access Issues and Exposures • Authentication Techniques • Programs, Files, & System Resources to Protect • Monitoring Activities • Encompasses both Host & Network Based Systems • Internet issues and protection mechanisms addressed • Physical Access Issues and Exposures
Coverage of Information System Security Issues • Common Cryptosystems • Basic Understanding of symmetric & asymmetric models • Introduction to a PKI infrastructure • Business Continuity Planning and Disaster Recovery • Secure e-Commerce applications
CISA Advantages • CBKs provide broad comprehensive descriptions of conceptual principles for IS controls and related general IS audit practices. • Lays the foundation for continued professional development • Code of Professional Ethics • CPE requirements • Awareness of information systems security issues is high
CISA Recognition • More than two hundred CISAs are CEOs or CFOs • More than three hundred CISAs are CIOs or IS Security Directors • More than 1300 others serve as Audit Directors or as Audit Partners with public accounting firms. • More than 2500 additional CISAs are in managerial positions in IT operations, security or auditing.
Credentialing Issues • CISA, as a minimum, is an enabler in providing the following IS skill level needed by audit organizations: • Execute any audit program related to information systems, recognize control weaknesses, and assess the materiality of these control weaknesses back to the scope and objectives of the audit (Level One Auditor with a conceptual knowledge of information systems).* *Source: Institute of Internal Auditors, Systems Auditing Capability Framework, 6/97.
Credentialing Issues • Other IS skill levels essential to audit organizations: • Relate symptoms back to the originating cause and determine if the scope of the audit needs to be expanded to encompass the originating cause of the problem (Level Two Auditor fully conversant with concepts of system auditing). • Formulate an audit program for highly specialized vendor specific products with appropriate testing mechanisms, execute and audit program, recognize control weaknesses, assess the materiality of these weaknesses, and relate them back to the scope and direction of the audit.* *Source: Institute of Internal Auditors, Systems Auditing Capability Framework, 6/97.
Concluding Remarks • Attaining the CISA credential lays the foundation for auditors to build the level of IS auditing skills needed by audit organizations. • CISA is a career enhancing move. • Other credentialing programs are needed to attain higher skill levels (e.g., ISACA has established a credentialing task force to review development of an IS security credential). • Credentialing landscape is changing • ISACA is trying to maintain its strategic credentialing position with Auditing Professionals