Saturday, November 17, 2007

CISA Salary Increase

Want more money for your information security skills? Try getting a professional certification. For all the continuing debate about the real value of IT certification programs, the premiums that companies are willing to pay for certified information security professionals is actually trending upwards.

A report released last week by New Canaan, Conn.-based Foote Partners LLC shows that formally certified security professionals on average are still commanding about 10% to 15% higher salaries than noncertified individuals in comparable roles. The numbers were marginally higher than the premiums offered for certified security professionals six months ago. Among the certification programs commanding the highest premiums were Certified Information Systems Security Professional (CISSP) , Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM).

In contrast, the premiums being offered for individuals with professional certifications in other IT areas fell by about 2% over the past one year, according to the Foote report. The analysis was based on salary data from 33,800 U.S and Canadian IT professionals.

"Security certifications bucked the overall trend by growing in value from October to April, up an average of 1.7 percent across the entire group of twenty-seven security certifications that we survey," the report said. "This is a very important development, because salaries as well as skills pay for IT security professionals stopped growing and in some cases declined a few years ago following what had been a strong wave of hiring in the wake of Patriot Act, Homeland Security Act, and Sarbanes-Oxley Act legislation," the Foote report said.

That trend has begun reversing itself as demand for qualified security professionals has begun to steadily grow recently, said David Foote, CEO of Foote Partners, in an interview with Computerworld. High-profile breaches, such as the one at TJX earlier this year, have made company executives increasingly nervous about the impact of security breaches on their customer bases, Foote said. As a result many have begun to ramp up their security efforts, resulting in an overall increase in demand for qualified security professionals to their highest levels after 9/11, he said.

This trend in IT security certifications pay is an indication that, finally, there is something other than government regulation that is driving business leaders to invest more in security, Foote said. "The trend is not being driven by compliance and regulations. It is being driven by people saying customers are demanding more security," from the companies they do business with, Foote said.

Also pushing up the premiums for security certification is a new Department of Defense directive which requires over 100,000 security professionals in certain specific job roles to be certified within a five year period, Foote said. The directive affects full- or part-time military service members, contractors, or those with privileged access to DOD information systems who are performing information assurance functions.

The two trends are creating a "perfect storm" in terms of pushing up premiums for IT security certifications at a time when other certification programs are commanding lower premiums than they used to, he added.

Via [ ComputerWorld]

Wednesday, November 7, 2007

Information Security in the 1984 - Glance from The Past

The video is the issue of "Computer Chronicles" program dedicated to information security. It's about the emergence of information security problems in the distant 80's.

Social engineering in action - Office security

The video shows us simple rules, which should be kept to prevent unauthorized access to assets of the company including confidential information.

Monday, October 29, 2007

CISA Exam Scaled Score System

There was a question about CISA scaled score system.
Here is an excerpt from ISACA's explanations:

"...Beginning with the June 2007 exam administration, exam scores are being reported on a scale from 200-800. This is a change from the 1-100 point scale that was used previously. Regardless of the scoring scale, the overall exam pass/fail results are the same. In other words, no more, or fewer candidates pass or fail the exam under the 200-800 scale scoring as did under the 1-100 scale scoring....

...A scaled score of 450 or higher is required to pass, which represents the minimum consistent standard of knowledge as established by ISACA's CISA Certification Board...."

According to CISA exam is divided into 6 areas:

  • IS Audit Process - 10%

  • IT Governance - 15%

  • Systems and Infrastructure Life Cycle - 16%

  • IT Service Delivery and Support - 14%

  • Protection of Information Assets - 31%

  • Business Continuity and Disaster Recovery - 14%

Each area of exam is assessed by the scale from 200 to 800. Total score is calculated accrording to the numbers above. And if it is 450 or higher, you should open a bottle of fizz :)

UPD: I received following info from ISACA Certification Department:

"The web site location for the CISA job practice areas that you have looked at is correct. The percentages that are listed there are indicating the percentage of questions in a particular job practice area that are on the exam itself. The percentage of questions in each area is not considered when the exam is scored by us."

Thursday, October 11, 2007

CISA Exam Preparation

Well this year deadline has passed. Those who were in time for registration should begin the preparation. Others who decided not to attend this year exam have chance to do preparation without rush.

Let me share some experience in my approach to CISA exam preparation.

First of all you need to read latest CISA Review Manual.

In second place you need the questionary. I browsed ISACA bookstore and found that they issued highly interesting product - CISA Practice Question Database v7 English Edition (web site download). It inlcudes all questions of this and previous year questionary (825 questions). But I should warn you that only small amount of these questions will be inlcuded in your CISA exam.

It is why whe main purpose of the questionary is to give confidence that you mastered "right common sense" feature (I mentioned this in my previous article).

My approach was very simple. I red CISA manual step by step, and practised each area of exam with the questionary until I got acceptable results 95-99% right answers in each area.

Unfortunately i had no time to participate in any additional CISA training courses. But if you have extra time and money why not. It is a good opportunity to summarize your knowledge after reading CISA manual. Another option is to read additional books.
I chose some for you:

CISA Certified Information Systems Auditor All-in-One Exam Guide

CISA Exam Cram 2

CISA: Certified Information Systems Auditor Study Guide

CISA Exam Prep (ACM Press)

Next time I want to discuss the similarity and difference between Internal and External IT Audit.

Please stay in touch I decided to publish the articles every week. :)

Monday, September 10, 2007

Why to CISA?

Yesturday i received a letter from ISACA. They reminded me that I passed CISA (Certified Information System Auditor) exam in 2005. And the deadline for certification is in December 2010. Why didn't I complete certification process? Well the answer is - I don't need the certificate right now. It is enough for the employeer to know that I have passed the CISA exam.

So why do we need this certification at all? Why do we need to pass CISA exam?
As for me this exam helped me to receive the offers from two of Big4 companies. Only the fact that i passed CISA exam. Without certification. May be it was just exception from the rule but this is not the main thing.

Above all CISA gives us the opportunity to show our level of competence. It means that your knowledge comply with general requirments that are set by ISACA.

What are these requirements?
  • general knowledge of audit process;
  • general knowledge of risk assessment process;
  • general knowledge of information technology matters;
  • "right" common sense. (I mean the point of view of ISACA association by that)
So what we have here? General knowledge + common sense will help us to solve most IT Audit problems. :)

You still have the chance to join our "right" common sense club. Next exam date is 8 December. And the final deadline registration date is 26 September.

If you have any question regarding CISA exam, please leave comments. We could share our experience and discuss it.

Sunday, September 2, 2007

Basic IT KPI development tutorial

This time I want to share my experience of Key Performance Indicator (KPI) development in IT area.

For instance we have a procedure saying all user accounts in domain must be disabled after employee's dismissal. Employee should sign-off depature clearance by system administrator, who will lock or delete user accounts of such an employee. Our task is to implement KPI that will show us how well this function is performed.

Let's suppose that as IT Auditor (IS Security specialist) you perform a monthly-based review of all domain accounts. You request the list of actually working people and compare it with the list of existing domain accounts. After that you will know the number of accounts that should be blocked/deleted but was not. But how to express it with numbers? How to evaluate the scale of problem? These questions could be answered by implementation of simple key performance indicator.

In our case we should take a number of dismissed employees and compare it with number of actually disabled accounts. If we express it in percentage, we receive following numbers:

  • Not disabled accounts - 10
  • Dismissed employees - 15
  • KPI - 100 - 10* 100 / 15 = ~33%

This shows us that only 33% of dismissed employees are blocked. But effective KPI should be 100%. That is why we should give the recommendations not only to disable residuary user accounts of dismissed employee's, but also recommendations on how to improve our process of user accounts administration.

Then we need to get history after some months of reviews. It will help up us to follow-up how effective were our recommendations and plan our further steps.

It could be also very useful for evaluation of efficiency of our employees' work. But it is another story.

What do you think about it? Please do not hesitate to leave comments on this article!

Monday, August 20, 2007

Internal Control, Internal Audit and IT Audit

So, let's start with basics.

What is the difference between Internal control and Internal audit and how to extend it to aspects of information technology?

We could say that internal control is the process intended to improve the quality of buisness processes of organization. And main tasks of internal audit are to assure the quality of internal controls are and give recommendations on how to improve existent internal control system.

IT Audit as part of Internal Audit will act in similar way. But if there is no information security unit in organisation, IT Audit could perform some responsibilities in information security field. For instance, it could be access rights approval or daily checks of security event logs of financial applications and appropriate operation systems.

The main problem of this approach is the impaired independence of auditor opinion in part of information security controls and inablity to audit these control processes. But even in such a situation IT Audit shouldn't perform any activities concerned with changes in any settings of software, telecommunicational facilities etc.

What is better? Have some information security controls without adequate assurance or have no information security controls at all? It is up to you guys.

Thursday, August 16, 2007

IT Audit, Information Security and Internal Control, why do we need to bother?

Why do we need to audit and control all these boring things?
Do the people really need somebody, who will crack a whip,

Unfotunately our practice and experience shows that it is our case. It is like Murphy's low: If something could be done wrong, it will be done wrong.

The answer, why it is happen, if the answer exists at all, lies in areas of philosophy and psychology. But it easy to see, that even highly motivated people are often suffer from the lack of the desire to adhere to all formalities, that they call bureaucracy.

That is why we IT Auditors and Information Security specialists will always have a job. And it is not only as result of SOX or Basel II or any other local requirements to the management of IT Audit, Information Security, Information Risk Management function.

So the main purpose of this blog is to provide you with information how to fully accomplish your functions and make people believe that they want your recommendations. :)

Do you think it is possible? Let's try together!