Category Archives: CISA

Hard copy vs online verification

Today, in an online forum, someone asked why ISACA still uses paper based certification applications instead of moving to online verification. The person argued that other organizations had gone to an online verification system.

My response:

I can understand why this is still a paper-based process. Moving it online would provide many opportunities for fraud. While I believe that 99.9% of CISA/CRISC/CISM applicants are honest, a purely online system would provide an easier opportunity for someone lacking the necessary background or experience to fabricate it – including verifiers. How could you prove that the verifiers are genuine?

Maybe, someday, if we ever get to a reliable online identity system that provides a solid tie between a real person and an online identity, I think that ISACA should stick with the paper model.

I am sure that ISACA has had this discussion, and will continue to have it from time to time.

Which security certification should you earn next?

A reader who recently received his CISA certification asked, “Which certification should I earn next: CEH or CRISC?”

I see this question a lot, so I’d like to answer this in two different ways.

Sometimes when someone asks which certification they should earn next, sometimes I wonder if that person is asking others to choose their career direction for them.

In this case, the person wants to know whether CRISC or CEH is the right direction. If this person were asking me personally, I would respond with these questions: what aspects of information security interest you? For which aspects do you have good aptitude? What kind of information security job do you want to be doing in five years?

In the case of CEH and CRISC, these two certifications could not be more different from each other. One is a hands-on certification that has to do with breaking into systems (and helping to prevent adversaries from doing same), and the other has to do with risk management, which is decidedly hands-off.

Now for my second answer: you choose. Both are well respected certifications. Which one aligns with your career aspirations?

Another thing – for anyone who is just trying to figure out the next cert to add after their name – stop asking that question and do some other things first.

1. Assess your experience.
2. Figure out where your experience can help you go next.
3. Determine your aptitudes. Meaning: what are your talents.
4. Decide what you want to be doing in five years, ten years.
5. Only after you have answered 1-4 can you then think about certifications. They should reflect your knowledge and experience.

Knowledge and experience come first. Certifications are a reflection of your knowledge and experience, not a forecast of future events.

- from my posting to the CISA Forum

Classification of data center reliability

The Telecommunications Industry Association (TIA) released the TIA-942 Telecommunications Infrastructure Standards for Data Centers standard in 2005. The standard describes various aspects of data center design, including reliability. The standard describes four levels of reliability:

  • Tier I – Basic ReliabilityPower and cooling distribution are in a single path. There may or may not be a raised floor, UPS, or generator. All maintenance requires downtime.
  • Tier II – Redundant ComponentsPower is in a single path; there may be redundant components for cooling. Includes raised floor, UPS, and generator. Most maintenance requires downtime.
  • Tier III – Concurrently MaintainableIncludes multiple power and cooling paths, but with only one path active. Includes sufficient capacity to carry power and cooling load on one path while performing maintenance on the other path. Includes raised floor, UPS, and generator.
  • Tier IV – Fault TolerantIncludes multiple active power and cooling distribution paths. Includes redundant components, including UPS and generator. Includes raised floor.
Excerpt from CISA All-In-One Study Guide, 2nd edition

Compliance risk, the risk management trump card

Bookmark This (opens in new window)

Organizations that perform risk management are generally aware of the laws, regulations, and standards they are required to follow. For instance, U.S. based banks, brokerages, and insurance companies are required to comply with GLBA (the Gramm Leach Bliley Act), and organizations that store, process, or transmit credit card numbers are required to comply with PCI-DSS (Payment Card Industry Data Security Standard).

GLBA, PCI-DSS, and other regulations often state in specific terms what controls are required in an organization’s IT systems. This brings to light the matter of compliance risk. Sometimes, the risk associated with a specific control (or lack of a control) may be rated as a low risk, either because the probability of a risk event is low, or because the impact of the event is low. However, if a given law, regulation, or standard requires that the control be enacted anyway, then the organization must consider the compliance risk. The risk of non-compliance may result in fines or other sanctions against the organization, which may (or may not) have consequences greater than the actual risk.

The end result of this is that organizations often implement specific security controls because they are required by laws, regulations, or standards – not because their risk analysis would otherwise compel them to.

Excerpt from CISA All-In-One Study Guide, second edition

I’m back, after a year off

Bookmark This (opens in new window)

After teaching the UW Information Systems Security certification course for two years, completing CISSP For Dummies (3rd edition), CISA All-In-One Exam Guide and CISSP Guide to Security Essentials, I was burned out and needed a year off. I didn’t do any public speaking either, which means interrupting an eight year run speaking for SecureWorld Expo in Seattle and other cities. But, I needed time for my family and for me.

Earlier this year we purchased an RV and spent about 40 nights in it all over Washington State, including American River, Whidbey Island, Vasa Resort, Ames Lake, Alder Lake, Riffe Lake, and Kitsap Memorial State Park. We spent much of this time with good friends whose company we enjoy very much.

My wife and I went on several motorcycle rides, although none were overnight trips as I had hoped. Still, we were blessed with great weather and safe riding.

One one particularly nice weekend day, I took a very early morning ride up Mt. Rainier, arriving at Paradise Lodge at around 8am. There was practically no traffic on the way up the mountain – the entire two lane highway was mine.

After writing twenty-two books in ten years, my list of honey-do’s around the house was growing, and I got a lot of things done in this department.

We have also become parents – of four lovely society finches that are the offspring of a mating pair we purchased last year. We also have zebra finches, parakeets, quail, and an african weaver. None of these others have had chicks yet, but we’re still hopeful.

We also had an exchange student from the Czech Republic stay in our home for a year. She arrived in mid August 2009 and returned home in July 2010. This was a great experience for everyone. She was a member of our family and she participated in everything we all do together.

Today I completed the draft manuscript for a book on security technology that will be published in December or January. This was a short project that took just a few weeks.  Today I met with my literary agent to plan the next five years of my writing. My business manager and I are both quite excited about the next few years.

While I took the year off of bookwriting, I was still involved in some other things. I’m a member of the Cloud Security Alliance and contributed to its Security Guidance for Critical Areas of Focus in Cloud Computing V2.1, and am a member of the Cloud Security Alliance Certification Board. I also earned the CRISC (Certified in Risk, Information Security, and Control), a new certification offered by ISACA (Information Systems Audit and Control Association), which I’ve been a member of since 2002.

Certification and Experience: Putting the Cart Before the Horse

Bookmark This (opens in new window)

When I earned my CISSP in 2000, and my CISA in 2002, I desired to earn these certifications as a way of demonstrating the knowledge and experience that I had already accumulated. To me, these certifications are a visible symbol of my professional qualifications in the professional community.

In recent years, I have seen many people who do not have the knowledge or the experience, and they desire to earn these certifications so that they may be better qualified for positions where they can earn the knowledge and experience that these certifications require.

These people have it backwards. They are showing impatience: they want the positions that require experience, but they do not yet have it. They ask, now that I have my CISSP (or CISA or CISM), how can I now get security specialist, security manager, security auditor, or other positions? And they wonder why they have difficulty finding these jobs that require CISSP, CISA, or CISM certification.

What I believe they fail to understand is that they do not have the required experience.

The correct path for professional certification and experience is this: acquire the knowledge and the experience, and then earn the certification. This is the method expected by employers, professionals, and the organizations that develop and manage these certifications.

Would you go to a doctor who had his license to practice but did not yet have the required experience? Of course not, and likewise employers do not hire candidates based only on their certifications. Instead, employers hire based upon knowledge, experience, and particular skills.

I believe that many of these aspiring certification candidates are being led astray by training organizations who are implicitly (if not explicitly) fostering the expectation that one can earn a certification based on a short training course alone, as though it is a “shortcut” to positions with greater responsibility, expectations, and compensation.

To IT professionals who want to get ahead and earn certifications: good for you! I wish you well! However, do know that you need to accumulate years of work experience first – then earning those certifications will be relatively easy, and you will have greater satisfaction through knowing that you have rightfully earned your certification, not only because you were able to pass a certification exam, but also because you have the experience that goes with it.

CISA study group

CISM study group

CISSP study group

CRISC study group

CISA All-In-One Exam Guide published

Bookmark This (opens in new window)

The CISA Certified Information Systems Auditor All-In-One Exam Guide, published by Osborne McGraw-Hill, is now available in bookstores and from online merchants.

CoverFront200xWritten by Peter H. Gregory, this book is largest and most complete study guide available for the CISA (Certified Information Systems Auditor) professional certification.  Prior to Osborne McGraw-Hill’s decision to publish this book, the other study guides that were available are shorter and contain less detail. This difference is key for IT professionals who are studying for the CISA certification, which places high demands on the exam taker to be able to recall many details and specifications about information technology, key business processes, and IT auditing.

Despite its title, CISA Certified Information Systems Audit All-In-One Exam Guide is structured and designed to also be a desk reference for early- and mid-career security auditors and security specialists who need a reliable, easily-consumed reference guide for key information technologies and IT auditing practices.  The book contains two chapters that go beyond the CISA study material and include lengthy discussions of professional IT auditing and security and governance frameworks.

“The availability of this study guide represents a big step forward for IT professionals who are studying for the CISA exam and those who have IT security and audit responsibilities,” states Peter H. Gregory. “The IT industry has waited a long time for an All-In-One guide for this popular certification,” he adds, citing the enormous popularity of the CISSP All-In-One Study Guide that is written by Shon Harris and considered the best CISSP guide available.

About Peter H. Gregory

Peter Gregory, CISA, CISSP, DRCE is the author of twenty books on security and technology and has been a technical editor for twenty additional books on security and technology. He has over 25 years of experience in virtually every role in Business IT departments, including work in government, banking, non-profit, telecommunications and on-demand financial software businesses.

Gregory is on the board of advisors and the lead instructor for the University of Washington certificate program in information security, and a lecturer at the NSA-certified University of Washington Certificate Program in Information Assurance & Cybersecurity. He is also on the Board of Directors for the Evergreen State Chapter of InfraGard, and the Executive Steering Board for the SecureWorld Expo Conference in Seattle. A founding member of the Pacific CISO Forum, Mr. Gregory is a graduate of the FBI Citizens’ Academy and active in the FBI Citizens’ Academy Alumni Association.

About ISACA®

With more than 86,000 constituents in more than 160 countries, ISACA® (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems assurance and security, enterprise governance of IT, and IT-related risk and compliance. Founded in 1969, ISACA sponsors international conferences, publishes the ISACA® Journal, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor™ (CISA®), Certified Information Security Manager® (CISM®) and Certified in the Governance of Enterprise IT® (CGEIT®) designations.

ISACA developed and continually updates the COBIT®, Val IT™ and Risk IT frameworks, which help IT professionals and enterprise leaders fulfill their IT governance responsibilities and deliver value to the business.

CISA Certified Information Systems Auditor All-In-One Study Guide by Peter H. Gregory; McGraw-Hill; October 2009; Hardback; $79.99; 10: 0071487557; 13: 978-0071487559

“All-in-One is All You Need.”