Professional Designations IT Assurance


Published on

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Professional Designations IT Assurance

  1. 1. An overviewfor assurance professionalsAsif ViraniACC626 – Professor M. DatardinaJuly 5, 2012
  2. 2. • Why should I care?• Why an IS professional?• Types of engagements• Certifications: • ISACA • CISA • CISM • CGEIT • (ISC)2 • CISSP • GIAC • GSNA• Concluding thoughts
  3. 3. • With advent of Sarbanes-Oxley, auditors must verify that “controls are in place and working correctly”• Information integrity depends on system integrity: “if the security or integrity of the information system can be compromised, then the information in them can be compromised”• Canadian Auditing Standard 315 • Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment• For smaller companies, information systems are simpler but their role is still significant• Important to understand and evaluate a client’s IT system regardless of its size
  4. 4. • Increased efficiency and effectiveness of audits, identification of system vulnerabilities, input on risk assessment and the control environment, recommendations and advice• Companies need to be aware of risks surrounding information security• Help clients manage their risks and maximize their benefits from using emerging technologies
  5. 5. • Financial statement audits• Internal control design and effectiveness (CSAE3416 reports, etc.)• Internal audit function• Designing and implementing secure systems • EC-Council Secure Programmer (ECSP) • EC-Council Secure Application Designer (ECSAD) • Certified Secure Software Lifecycle Professional (CSSLP) • GIAC Secure Software Programmer (GSSP)• Security assessments and responses, monitoring • Specialized certifications • Ethical hacking, penetration testing, computer hacking forensics, intrusion analysis, web application security
  6. 6. • Information Systems Audit and Control Association (ISACA) • Certified Information Systems Auditor (CISA) • Certified Information Security Manager (CISM) • Certified in the Governance of Enterprise IT (CGEIT)• International Information Systems Security Certification Consortium ((ISC)2) • Certified Information Systems Security Professional (CISSP)• Global Information Assurance Certification (GIAC) • GIAC Systems and Network Auditor (GSNA)
  7. 7. • Governing body for IS audit and control professionals• 4 designations in audit, security and IT governance• Professional Code of Ethics• Continuing Professional Education program• Compliance with ISACA standards (CISA)• Certification exams• Work experience requirement
  8. 8. • “Leverage standards, manage vulnerabilities, ensure compliance, offer solutions, institute controls and deliver value to the enterprise”• Requirements: • CISA exam • Minimum 5 years work experience • Code of Ethics and CPE • IS Auditing Standards as adopted by ISACA
  9. 9. • Job practice areas: • Process of auditing systems • Governance and management of IT • Information systems acquisition, development and implementation • Information system operations, maintenance and support • Protection of information assets• Bottom line: • Professional familiar with and can perform IT audits • Provide assistance understanding IT system, performing risk assessments and controls testing • Enhance the audit function by analyzing and auditing IT aspects, providing greater audit effectiveness and efficiency • Invaluable when preparing special reports (CSAE3416, etc.)
  10. 10. • “Build and manage information security programs… bring a comprehensive view of information security management and its relationship with organizational success”• Requirements: • CISM exam • Minimum 5 years information security work experience, with minimum 3 years in information security management or in 3 or more of the job practice areas • Code of Ethics and CPE
  11. 11. • Job practice areas: • Information security governance • Information risk management and compliance • Information security program development and management • Information security incident management• Bottom line: • Focus on information system security program management, governance, compliance and risk management • Link between upper management and information security function • Help understand and advise on security environment at client organizations
  12. 12. • Ability to “discuss critical issues around governance and strategic alignment… grasps the complex subject holistically and therefore enhances value to the enterprise”• Requirements: • CGEIT exam • Minimum 5 years work experience managing, serving in advisory or oversight role, and/or otherwise supporting IT governance, with minimum 1 year experience related to developing and/or maintenance of IT governance framework • Code of Ethics and CPE
  13. 13. • Job practice areas: • IT governance framework • Strategic alignment • Value delivery • Risk management • Resource management • Performance measurement• Bottom line: • CGEITs “deliver on corporate business goals, more successful IT implementation, secure environment and more agile business processes… greater returns on IT investments” • Provide client value with advice on management of IT assets • Help build and evaluate business cases for IT investments for clients
  14. 14. • Certifying body for a number of information security- related designations• Professionals with (ISC)2 credentials differentiate themselves as knowledgeable in general and specific areas of IT security• Provide value to security functions
  15. 15. • “Develop policies and procedures in information security… define architecture, design, management and/or controls that assure security of business environments”• Requirements: • CISSP exam • Minimum 5 years professional security work experience in at least 2 of 10 domains of the core body of knowledge • Code of Ethics and CPE • Endorsement form signed by active (ISC)2 certified member
  16. 16. • Knowledge domains: • Access control, telecommunications and network security, information security governance and risk management, software development security, cryptography, security architecture and design, operations security, business continuity and disaster recovery planning, legal/regulations/investigations compliance, and physical (environmental) security• Bottom line: • Very good overall view of security and different aspects requiring consideration • Help identify and design security setups and provide overall assessments of the security environment • Assist in gaining an understanding of the business and control environment, identifying control weaknesses and system vulnerabilities, focusing audit work and areas of testing for assurance practitioner
  17. 17. • Technical certification demonstrating competence in systems and network auditing• Focus on processes, assessments and testing• Requirement: • GSNA exam• Testing areas: • Audit methodology, risk management, auditing firewalls, intrusion detection systems, network services, critical systems, networking devices, Unix and Windows systems, and web applications and servers
  18. 18. • GSNAs often engaged to perform specific testing on systems• GIAC does not govern GSNAs or other GIAC-certified professionals • No professional code of ethics • No CPE requirement, but recertification required every 4 years• Bottom line: • Valuable team member who understands objectives of an audit • Increased efficiency and effectiveness of audits through technical testing and auditing of IT systems and networks
  19. 19. • Certification provides credibility, attests to the fact that they take their role and industry seriously, are competent in a strong body of core knowledge, have familiarity of industry topics• In choosing the appropriate professional, requirements should be properly defined and planned• Greater efficiency and effectiveness of work, increased delivery and service opportunities to clients, reduced exposure to more stringent auditing standards• Heightened credibility of firm, rewarding relationships with professionals in other areas of expertise, increased value creation for clients
  20. 20. Questions and comments can be forwarded to Asif Virani School of Accounting and Finance, University of Waterloo Waterloo, ON Canada