Hello Forum, I am a system specialists (support, administration, & implementation) working towards a career in information assurance. I just completed the Norwich University's Master's of Science in Information Assurance (a great program!) Although I am currently studying for the CISSP exam (in fact Shon Harris's book is on my desk staring up at me) I hold no certification. I work for a very large organization that places a great deal of trust in certifications, consequently, I have not been able to land an interview with the IT Audit departments despite my MSIA. Aside from taking the CISA certification exam (difficult to do with limited knownledge) does anyone know of a program dedicated to teaching the fundementals of IT/ IS Auditing? -BigFish
BigFish, I wish I had something to offer you. Have you worked in security before? I ask because you talk about Shon's CISSP book. You and I get 2 of the 4 year CISSP requirement taken off, right off the bat (due to the degree). If you don't are you going to do the associate program? Also, what did you think of Dr. Kabay? Did you wrap any of your course deliverables into risk / audit? It might have been a good way to get in the door with your risk dept. Looks like taking the CISA might be the ticket. In fact, it might get you more than the CISSP (pure infosec mgmt cert). Might want to take a look at the "model" universities - http://www.isaca.org/Content/NavigationMenu/Students_and_Educators/Model_Curriculum/Programs_in_Alignment/Audit_Programs_Currently_in_Alignment_with_the_Model_Curriculum.htm I will dig around some more tonight. Also, I think I know your situation. A masters from a good program and you can not get into the department within your own company. Job? Need experience. Hmm. Certs? Need experience. I started doing free security work / consulting for non-profits and the community. . . why? - Because I love security, enjoy improving my skills, and helping others. - Steve
For someone in your shoes, I would recommend looking for an "internal auditing" course, typically offered by an accounting department, to get the fundamentals of auditing and then take the CISA exam. Assuming that you are familiar with database and networking technology, and systems development methods, the internal auditing course should provide 90% of what you are mising to pass the exam. With your background, much of an IT auditing course would be duplicative. Make sure that it's "internal" auditing. The standard auditing course offered in most accounting programs emphasizes the auditing of financial statements with limited coverage of IT. I'm a CISA - pm me if you have more questions. edited to add: Thanks for the question - this post makes me a senior member!
Re: Re: IT/IS Auditor Training A bigger challenge is getting work in this field. I have a degree in Computer Science and I am a lic. accountant but since I have never worked as an IT auditor I can't work in that field. Its very tough to break into unless you are under 25!
Re: Re: Re: IT/IS Auditor Training I think you'd have a much better chance of breaking in if you took and passed the CISA exam.
Other Good Certifications I agree with the previous posts about passing the CISSP & CISA exams. If you pass these exams even without the necessary work experience, you will prove to your employer that you will attain these certifications once your work experience requirement is done. In some ways, this is better than getting the work experience first and then worrying about whether you will pass the exams. Here are two other related certifications that are also well regarded: Certified Internal Auditor (CIA) http://www.theiia.org/index.cfm?doc_id=12 - this certification is primarily for internal auditors and other professionals who design, implement and test internal controls - as information systems are the backbone of financial and operational systems, most auditing (internal or external) involves some form of IT/IS auditing - this area is very hot right now because of SOX legislation Certified Fraud Examiner (CFE) http://www.acfe.com/Membership/become.asp - while this certification is primarily geared toward the detection and quantification of fraud, it is still relevant for IT/IS auditing as most evidence in fraud cases is now electronic in nature - the ability to properly deal with electronic evidence is crucial for fraud cases, as this evidence could become part of a court case I hope this is helpful. Good luck! Michael Weedon, CA
