Certification

There are a lot of certification in market, from Property appraisal to Information Security, even in the one certification subject there are a lot of derivative such as Penetration Testing or Hacking certification. Some of the certification are consider good and industry see it as valuable. But others not.

American College of Forensic Examiners Institute (ACFEI) maintain Certified Homeland Security (CHS). The CHS is another kind of certification that you can apply. But anyone know, the real purpose of this certification?

Basically, there is two type of certification that you can apply for homeland security usage.

CISA Examination is one of the most recognize certification in area of information system audit. This examination consist of 200 questions multiple choice without any penalty, so in case of emergency you can still guessing. Its vendor neutral, so its easier to you not to remembering a lot of term and definition.

Out there, you can find a lot of reading material sample question answer and dump. But based on my experience those information is only make you confuse. I suggest you:

1. Don’t read a lot of resource, just focus on CISA Review Manual (CRM)

This book is must have book for everyone who want to pass the exam. The CRM book already cover whole basic concept of the exam. You must not read other book, unless you really understanding whole CRM concept. Don’t ever try because its only make you confuse.

2. Don’t analyze to deep over some confusing concept,

CISA has a lot of gray area that sometimes confusing to be understood. You don’t have to worry about how segregation duties matrix will affected to your exam. Just keep reading and gain understanding in easier area. CISA only need 75% of percentile to pass the test. Don’t spend to much energy in confusing concept.

1. During an implementation review of a multiuser distributed application, the IS auditor finds minor weaknesses in three areas-the initial setting of parameters is improperly installed, weak passwords are being used and some vital reports are not being checked properly. While preparing the audit report, the IS auditor should:
A. record the observations separately with the impact of each of them marked against each respective finding.
B. advise the manager of probable risks without recording the observations, as the control weaknesses are minor ones.
C. record the observations and the risk arising from the collective weaknesses.
D. apprise the departmental heads concerned with each observation and properly document it in the report.

Answer C:
Individually the weaknesses are minor; however, together they have the potential to substantially weaken the overall control structure. Choices A and D reflect a failure on the part of the IS auditor to recognize the combined affect of the control weakness. Advising the local manager without reporting the facts and observations would conceal the findings from other stakeholders.

2. During a security audit of IT processes, an IS auditor found that there were no documented security procedures. The IS auditor should:
A. create the procedures document.
B. terminate the audit.
C. conduct compliance testing.
D. identify and evaluate existing practices.

Answer D:
One of the main objectives of an audit is to identify potential risks; therefore, the most proactive approach would be to identify and evaluate the existing security practices being followed by the organization. An IS auditor should not prepare documentation, and if they did, their independence could be jeopardized. Terminating the audit may prevent achieving one of the basic audit objectives, i.e., identification of potential risks. Since there are no documented procedures, there is no basis against which to test compliance.

This article is written by A.Rafeq, President and Shirish S. Deshpande. I found that the article really usefull. The original article is longer than this, but i simplify this article to the most important point based on my experience, and here is the effective approach in CISA exam.

Objective of CISA Exam
CISA Exam consists of 200 questions from 7 domains as detailed in the Candidates Guide to the CISA Exam. The CISA Exam tests minimum level of competence for conducting Information Systems Audit.

Understanding of IT
CISA Candidates are expected

Certified Information Systems Security Professional (CISSP) is an independent information security certification governed by the International Information Systems Security Certification Consortium (commonly known as (ISC)²).

The CISSP curriculum covers subject matter in a variety of Information Security topics. The CISSP examination is based what (ISC)² terms the Common Body of Knowledge (or CBK). According to (ISC)², "the CISSP CBK is a taxonomy -- a collection of topics relevant to information security professionals around the world. The CISSP CBK establishes a common framework of information security terms and principles that allow information security professionals worldwide to discuss, debate and resolve matters pertaining to the profession with a common understanding."[4]

Certified Information Systems Auditor (CISA) is an audit professional certification sponsored by the Information Systems Audit and Control Association (ISACA). Candidates for the certification must meet requirements set by ISACA.

History
The CISA certification was established in 1978 for several reasons:
1. Develop and maintain a tool that could be used to evaluate an individuals' competency in conducting information system audits.
2. Provide a motivational tool for information systems auditors to maintain their skills, and monitor the success of the maintenance programs.
3. Provide criteria to help aid management in the selection of personnel and development.

ITIL certifications are managed by the ITIL Certification Management Board (ICMB) which is composed of the OGC, IT Service Management Forum (itSMF) International and two examinations institutes: EXIN (based in the Netherlands) and ISEB (based in the UK).

The EXIN and ISEB administer exams and award qualifications at Foundation, Practitioner and Manager/Masters level currently in 'ITIL Service Management', 'ITIL Application Management' and 'ICT Infrastructure Management' respectively.

A voluntary registry of ITIL-certified practitioners is operated by the ITIL Certification Register.

Organizations or a management system may not be certified as "ITIL-compliant". However an organization that has implemented ITIL guidance in ITSM may be able to achieve compliance with and seek certification under ISO/IEC 20000.