Tag Archives: CISA

CISM vs CISSP

A reader recently asked me about the CISM versus the CISSP. Specifically, he asked, “How hard is the CISM for someone who passed the CISSP?”

Having earned both certs (and a few more besides), and having written study guides for both, I felt qualified to help this individual. My answer follows.

CISM is much heavier on security management and risk management than CISSP. You’ll have to study these topics, and the business side of information security.  To paint with a broad brush, you could say that CISM is for CISO’s while CISSP is for security engineers. That, in essence, is the distinction.

Oh and there’s a great study guide out for the CISM: https://www.amazon.com/Certified-Information-Security-Manager-Guide-ebook/dp/B079Z1J87M

I passed my CISSP almost 20 years ago while I was still a hands-on technologist.  I studied for my CISA two years later. I learned through my ISACA CISA study materials (provided by my employer) that ISACA has a vastly different vocabulary for infosec than does (ISC)2.  Think of it as a business perspective versus an engineering perspective.  Both are right, both are valid, both are highly valued in the employment market.  But they are different.  Master both, and you’ll be a rare treasure.


Study guides for CISSP:

CISSP For Dummies

CISSP Guide to Security Essentials

Study guides for CISM:

CISM All-In-One Exam Guide

 

 

Advertisements

Hard copy vs online verification

Today, in an online forum, someone asked why ISACA still uses paper based certification applications instead of moving to online verification. The person argued that other organizations had gone to an online verification system.

My response:

I can understand why this is still a paper-based process. Moving it online would provide many opportunities for fraud. While I believe that 99.9% of CISA/CRISC/CISM applicants are honest, a purely online system would provide an easier opportunity for someone lacking the necessary background or experience to fabricate it – including verifiers. How could you prove that the verifiers are genuine?

Maybe, someday, if we ever get to a reliable online identity system that provides a solid tie between a real person and an online identity, I think that ISACA should stick with the paper model.

I am sure that ISACA has had this discussion, and will continue to have it from time to time.

Which security certification should you earn next?

A reader who recently received his CISA certification asked, “Which certification should I earn next: CEH or CRISC?”

I see this question a lot, so I’d like to answer this in two different ways.

Sometimes when someone asks which certification they should earn next, sometimes I wonder if that person is asking others to choose their career direction for them.

In this case, the person wants to know whether CRISC or CEH is the right direction. If this person were asking me personally, I would respond with these questions: what aspects of information security interest you? For which aspects do you have good aptitude? What kind of information security job do you want to be doing in five years?

In the case of CEH and CRISC, these two certifications could not be more different from each other. One is a hands-on certification that has to do with breaking into systems (and helping to prevent adversaries from doing same), and the other has to do with risk management, which is decidedly hands-off.

Now for my second answer: you choose. Both are well respected certifications. Which one aligns with your career aspirations?

Another thing – for anyone who is just trying to figure out the next cert to add after their name – stop asking that question and do some other things first.

1. Assess your experience.
2. Figure out where your experience can help you go next.
3. Determine your aptitudes. Meaning: what are your talents.
4. Decide what you want to be doing in five years, ten years.
5. Only after you have answered 1-4 can you then think about certifications. They should reflect your knowledge and experience.

Knowledge and experience come first. Certifications are a reflection of your knowledge and experience, not a forecast of future events.

– from my posting to the CISA Forum

Classification of data center reliability

The Telecommunications Industry Association (TIA) released the TIA-942 Telecommunications Infrastructure Standards for Data Centers standard in 2005. The standard describes various aspects of data center design, including reliability. The standard describes four levels of reliability:

  • Tier I – Basic ReliabilityPower and cooling distribution are in a single path. There may or may not be a raised floor, UPS, or generator. All maintenance requires downtime.
  • Tier II – Redundant ComponentsPower is in a single path; there may be redundant components for cooling. Includes raised floor, UPS, and generator. Most maintenance requires downtime.
  • Tier III – Concurrently MaintainableIncludes multiple power and cooling paths, but with only one path active. Includes sufficient capacity to carry power and cooling load on one path while performing maintenance on the other path. Includes raised floor, UPS, and generator.
  • Tier IV – Fault TolerantIncludes multiple active power and cooling distribution paths. Includes redundant components, including UPS and generator. Includes raised floor.
Excerpt from CISA All-In-One Study Guide, 2nd edition

Certification and Experience: Putting the Cart Before the Horse

Bookmark This (opens in new window)

When I earned my CISSP in 2000, and my CISA in 2002, I desired to earn these certifications as a way of demonstrating the knowledge and experience that I had already accumulated. To me, these certifications are a visible symbol of my professional qualifications in the professional community.

In recent years, I have seen many people who do not have the knowledge or the experience, and they desire to earn these certifications so that they may be better qualified for positions where they can earn the knowledge and experience that these certifications require.

These people have it backwards. They are showing impatience: they want the positions that require experience, but they do not yet have it. They ask, now that I have my CISSP (or CISA or CISM), how can I now get security specialist, security manager, security auditor, or other positions? And they wonder why they have difficulty finding these jobs that require CISSP, CISA, or CISM certification.

What I believe they fail to understand is that they do not have the required experience.

The correct path for professional certification and experience is this: acquire the knowledge and the experience, and then earn the certification. This is the method expected by employers, professionals, and the organizations that develop and manage these certifications.

Would you go to a doctor who had his license to practice but did not yet have the required experience? Of course not, and likewise employers do not hire candidates based only on their certifications. Instead, employers hire based upon knowledge, experience, and particular skills.

I believe that many of these aspiring certification candidates are being led astray by training organizations who are implicitly (if not explicitly) fostering the expectation that one can earn a certification based on a short training course alone, as though it is a “shortcut” to positions with greater responsibility, expectations, and compensation.

To IT professionals who want to get ahead and earn certifications: good for you! I wish you well! However, do know that you need to accumulate years of work experience first – then earning those certifications will be relatively easy, and you will have greater satisfaction through knowing that you have rightfully earned your certification, not only because you were able to pass a certification exam, but also because you have the experience that goes with it.

CISA study group

CISM study group

CISSP study group

CRISC study group

CISA All-In-One Exam Guide published

Bookmark This (opens in new window)

The CISA Certified Information Systems Auditor All-In-One Exam Guide, published by Osborne McGraw-Hill, is now available in bookstores and from online merchants.

CoverFront200xWritten by Peter H. Gregory, this book is largest and most complete study guide available for the CISA (Certified Information Systems Auditor) professional certification.  Prior to Osborne McGraw-Hill’s decision to publish this book, the other study guides that were available are shorter and contain less detail. This difference is key for IT professionals who are studying for the CISA certification, which places high demands on the exam taker to be able to recall many details and specifications about information technology, key business processes, and IT auditing.

Despite its title, CISA Certified Information Systems Audit All-In-One Exam Guide is structured and designed to also be a desk reference for early- and mid-career security auditors and security specialists who need a reliable, easily-consumed reference guide for key information technologies and IT auditing practices.  The book contains two chapters that go beyond the CISA study material and include lengthy discussions of professional IT auditing and security and governance frameworks.

“The availability of this study guide represents a big step forward for IT professionals who are studying for the CISA exam and those who have IT security and audit responsibilities,” states Peter H. Gregory. “The IT industry has waited a long time for an All-In-One guide for this popular certification,” he adds, citing the enormous popularity of the CISSP All-In-One Study Guide that is written by Shon Harris and considered the best CISSP guide available.

About Peter H. Gregory

Peter Gregory, CISA, CISSP, DRCE is the author of twenty books on security and technology and has been a technical editor for twenty additional books on security and technology. He has over 25 years of experience in virtually every role in Business IT departments, including work in government, banking, non-profit, telecommunications and on-demand financial software businesses.

Gregory is on the board of advisors and the lead instructor for the University of Washington certificate program in information security, and a lecturer at the NSA-certified University of Washington Certificate Program in Information Assurance & Cybersecurity. He is also on the Board of Directors for the Evergreen State Chapter of InfraGard, and the Executive Steering Board for the SecureWorld Expo Conference in Seattle. A founding member of the Pacific CISO Forum, Mr. Gregory is a graduate of the FBI Citizens’ Academy and active in the FBI Citizens’ Academy Alumni Association.

About ISACA®

With more than 86,000 constituents in more than 160 countries, ISACA® (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems assurance and security, enterprise governance of IT, and IT-related risk and compliance. Founded in 1969, ISACA sponsors international conferences, publishes the ISACA® Journal, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor™ (CISA®), Certified Information Security Manager® (CISM®) and Certified in the Governance of Enterprise IT® (CGEIT®) designations.

ISACA developed and continually updates the COBIT®, Val IT™ and Risk IT frameworks, which help IT professionals and enterprise leaders fulfill their IT governance responsibilities and deliver value to the business.

CISA Certified Information Systems Auditor All-In-One Study Guide by Peter H. Gregory; McGraw-Hill; October 2009; Hardback; $79.99; 10: 0071487557; 13: 978-0071487559

“All-in-One is All You Need.”

Auditors’ preferences for controls

Bookmark This (opens in new window)

Auditors and security professionals usually prefer preventive controls over detective controls because they actually block unwanted events and prefer detective controls to deterrent controls because detective controls record events while deterrent controls do not. However, there are often circumstances where cost, resource, or technical limitations force an organization to accept a detective control when it would prefer a preventive one. For example, there is no practical way to build a control that would prevent criminals from entering a bank, but a detective control (security cameras) would record anything they did.

Excerpt from CISA Certified Information Systems Auditor All-In-One Study Guide