Monday, September 10, 2007

Why to CISA?

Yesturday i received a letter from ISACA. They reminded me that I passed CISA (Certified Information System Auditor) exam in 2005. And the deadline for certification is in December 2010. Why didn't I complete certification process? Well the answer is - I don't need the certificate right now. It is enough for the employeer to know that I have passed the CISA exam.


So why do we need this certification at all? Why do we need to pass CISA exam?
As for me this exam helped me to receive the offers from two of Big4 companies. Only the fact that i passed CISA exam. Without certification. May be it was just exception from the rule but this is not the main thing.

Above all CISA gives us the opportunity to show our level of competence. It means that your knowledge comply with general requirments that are set by ISACA.

What are these requirements?
  • general knowledge of audit process;
  • general knowledge of risk assessment process;
  • general knowledge of information technology matters;
  • "right" common sense. (I mean the point of view of ISACA association by that)
So what we have here? General knowledge + common sense will help us to solve most IT Audit problems. :)

You still have the chance to join our "right" common sense club. Next exam date is 8 December. And the final deadline registration date is 26 September.

If you have any question regarding CISA exam, please leave comments. We could share our experience and discuss it.

Sunday, September 2, 2007

Basic IT KPI development tutorial

This time I want to share my experience of Key Performance Indicator (KPI) development in IT area.

For instance we have a procedure saying all user accounts in domain must be disabled after employee's dismissal. Employee should sign-off depature clearance by system administrator, who will lock or delete user accounts of such an employee. Our task is to implement KPI that will show us how well this function is performed.

Let's suppose that as IT Auditor (IS Security specialist) you perform a monthly-based review of all domain accounts. You request the list of actually working people and compare it with the list of existing domain accounts. After that you will know the number of accounts that should be blocked/deleted but was not. But how to express it with numbers? How to evaluate the scale of problem? These questions could be answered by implementation of simple key performance indicator.

In our case we should take a number of dismissed employees and compare it with number of actually disabled accounts. If we express it in percentage, we receive following numbers:

  • Not disabled accounts - 10
  • Dismissed employees - 15
  • KPI - 100 - 10* 100 / 15 = ~33%

This shows us that only 33% of dismissed employees are blocked. But effective KPI should be 100%. That is why we should give the recommendations not only to disable residuary user accounts of dismissed employee's, but also recommendations on how to improve our process of user accounts administration.

Then we need to get history after some months of reviews. It will help up us to follow-up how effective were our recommendations and plan our further steps.

It could be also very useful for evaluation of efficiency of our employees' work. But it is another story.

What do you think about it? Please do not hesitate to leave comments on this article!