Information security - the Information security - the appropriate certificates as a key toappropriate certificates as a key to

99thth Regional Conference on Information Security and Storage Systems Regional Conference on Information Security and Storage Systems

Information Security Melting PointInformation Security Melting Point

Zdravko Stoychev, CISMISACA – Sofia Certification Director

October 7, 2010 - Sofia

Objectives

ISACA

CISA and CISM Certificates

CGEIT Certificate

ISACA Certification Process

Newest CRISC Certificate

www.isaca.orgwww.isaca.org

ISACA Facts

• Founded in 1969 as the EDP Auditors Association

• Formed affiliated IT Governance Institute (ITGI)

• COBIT, Val IT and Risk IT governance frameworks

• 95,000 individuals are currently members of ISACA

• 187 chapters in over 75 countries worldwide

• Members live and work in more than 160 countries

ISACA – Sofia Chapter

• Established 2006 in Sofia

• 80 members (as of Sep 30, 2010): CISA - 41 CISM - 11 CGEIT - 6 CRISC - 0

• Sofia Chapter activities and events

• www.isaca-sofia.org

www.isaca.org/cisawww.isaca.org/cisa

CISA Certification Facts

• More than 75,000 CISAs worldwide since 1978

• A 2007 survey of ISACA members revealed that 89% of CISAs value their certification, and 72% of CISAs believe that the CISA certification has helped advance their career

• Who might be interested in getting it

CISA in the Workplace

• Almost 2,400 are now employed in organizations as the CEO, CFO or equivalent executive position

• More than 2,000 serve as chief audit executives (CAEs), audit partners or audit heads

• Nearly 6,000 serve as CIOs, CISOs, security directors, security managers or consultants

• More than 10,500 serve as audit directors, managers or consultants

• More than 15,400 are employed in managerial or consulting positions in IT operations or compliance

• More than 14,400 auditors (IS/IT and non-IS/IT)

CISA Job Practice Areas

CISAs by Area

Oceania2% Asia/Mid-East

27%

Europe/Africa22%

Central/South America

3%North America

46%

www.isaca.org/cismwww.isaca.org/cism

CISM Certification Facts

• More than 13,000 CISMs worldwide since 2002

• Designed exclusively for individuals who design, implement and manage an enterprise’s information security program:

– Security managers– Security directors– Security officers– Security consultants– Security auditors

CISM Uniqueness

• What makes CISM Unique?– Designed for information security managers

exclusively– Criteria and exam developed from job practice

analysis validated by information security managers– Experience requirement includes information security

management

CISM Job Practice Areas

CISMs by Job Title

Executive Level17.4%

Other4.4%

Compliance& Risk

10%

IT Directors, Managers,

Consultants16.2%

IS Security39%

IS/IT Audit13%

www.isaca.org/cgeitwww.isaca.org/cgeit

CGEIT: Who for?

• More than 4,000 CGEITs worldwide since 2007

• The certification is intended to promote the professionals who wish to be recognized for their IT governance-related experience and knowledge

• Designed for professionals who have management, advisory, or assurance responsibilities as defined by the CGEIT Job Practice areas

CGEIT Benefits

• Individual - Recognizes professional knowledge and competencies; skill-sets; abilities and experiences

• Enterprise - Supports through the demonstration of a visible commitment to excellence in IT governance practices

• Profession - Supports those that provide IT governance management, advisory or assurance direction and strategy

• Business - Increases the awareness of IT governance good practices and issues

CGEIT Job Practice Areas

CGEIT Domains

• IT Governance FrameworkDevelop, or be part of the development of, an IT governance framework

• Strategic Alignment Develop, or be part of the development of, an enterprise’s IT strategy

• Value DeliveryDevelop, or be part of the development of, a systematic, analytical and continuous value governance process

CGEIT Domains

• Risk Management Develop, enhance and maintain a systematic, analytical and continuous enterprise risk management process across the enterprise

• Resource ManagementDevelop, or assist in the development of systematic and continuous resource planning, management and evaluation processes

• Performance MeasurementDevelop, or assist in the development of, systematic and continuous performance management and evaluation processes

CGEITs by Job Title

Other5% Executive Level

23%

IS Security Professionals

14%

IT Directors, Managers and Consultants

24%

Compliance and Risk

12%

IS/IT Audit22%

CERTIFICATION

ISACA Certification Requirements

• Earn a passing score on the Exam

• Submit verified evidence of a minimum professional experience (substitutions available)

• Submit the application and receive approval

• Adhere to the ISACA Code of Professional Ethics

• Abide by IS Auditing Standards as adopted by ISACA (does not apply for CISM)

• Comply with Continuing Professional Education Policy

Administration of the Exam

• 2010 Exam Dates:Saturday, 12 June 2010

Saturday, 11 December 2010

• More than 240 test sites offered for each exam administration

• Sofia test-site available since 2003

• Passing mark of 450 on a common scale of 200 to 800

2010 Registration Fees

• Registration fees:

– ISACA Member: $465

– Non-ISACA Member: $595

– Early registration rebate: -$50(on or before Feb 10, 2010)

– Final Registration Deadline: Oct 6, 2010

• Online Registration: www.isaca.org/examreg

Exam Questions

• The CISA and CISM exam consists of 200 multiple choice questions administered over a four-hour period

• The CGEIT exam consists of 120 multiple choice questions administered over a four-hour period

• Questions are designed to test practical knowledge and experience

• Questions require the candidate to choose one best answer

• Every question or statement has four options (answer choices)

Continuing Education Requirements

Certification is granted annually to those who:• Report a minimum of 20 hours of continuing professional

education• Report a minimum of 120 hours of continuing education

for each fixed three-year period• Pay the continuing education maintenance fee• Respond and submit required documentation of

continuing education activities if selected for an annual audit

• Comply with the ISACA Code of Professional Ethics

www.isaca.org/criscwww.isaca.org/crisc

CRISC: Who for?

• Certified in Risk and Information Systems Control (CRISC),is the newest addition to the portfolio of recognized ISACA certifications, launched by ISACA in 2010

• CRISC serves IT and business professionals who identify and manage risks through the development and implementation of appropriate IS controls and comply with regulations that affect IS to help enterprises accomplish business objectives

• Designed for professionals who are engaged at an operational level to mitigate risk as defined by the CRISC Job Practice areas

CRISC Job Practice Areas

CRISC Domains

• Risk Identification, Assessment and EvaluationIdentify, assess and evaluate risk to enable the execution of the enterprise risk management strategy

• Risk ResponseDevelop and implement risk responses to ensure that risk issues, opportunities and events are addressed in a cost-effective manner and in line with business objectives

• Risk MonitoringMonitor risk and communicate information to the relevant stakeholders to ensure the continued effectiveness of the enterprise’s risk management strategy

CRISC Domains

• IS Control Design and ImplementationDesign and implement IS controls in alignment with the organization’s risk appetite and tolerance levels to support business objectives

• IS Control Monitoring and MaintenanceMonitor and maintain IS controls to ensure they function effectively and efficiently

For a complete viewing of the job practice domainstask and knowledge statements visit

www.isaca.org/criscjobpractice

CRISC Certification

• Grandfathering

• Post-grandfathering (exam-based)

CRISC Grandfathering

• The grandfathering program enables professionals highly experienced in the CRISC job practice areas to apply for the CRISC certification without taking the exam

• Grandfathering is available 1 April 2010 through 31 March 2011. The first CRISC exam will be administered in 2011

• To download a grandfathering application visit www.isaca.org/criscapp

CRISC Grandfathering

Professionals with eight or more years of IT or business experience can earn ISACA’s CRISC designation under its grandfathering program:

– Candidates must provide evidence that six of those eight years include responsibilities related to CRISC's domains

– At least three of those years must include responsibilities for risk identification, assessment, evaluation, response and monitoring

Pay the application fee: – ISACA Member: $595– Non-ISACA member: $725– Early application rebate: -$100 (by 31 October 2010)

CRISC Certification

As of 1 September 2010 – Four months into its rigorous grandfathering program for the Certified in Risk and Information Systems Control (CRISC) designation, ISACA has issued the 1,000th certificate

Since 1 April 2010, candidates from more than 83 countries have applied for CRISC certification:

– The early-bird deadline for the grandfathering program is 31 October 2010, but

– The program will remain open through March 2011– The first CRISC exam will be administered in June 2011

CRISC Relationship

• While CISA is designed for IT professionals who perform independent reviews of control design and operational effectiveness, CRISC is for IT and business professionals who design, implement and maintain IS controls.

• While CISM is for individuals who manage, design, oversee and/or assess an enterprise’s information security, including the identification and management of information security risks, CRISC is for IT professionals whose roles encompass security, operational and compliance considerations.

• While CGEIT is primarily for IT and business professionals who have a significant management, advisory or assurance role relating to the governance of IT, including risk management, CRISC is intended for IT and business professionals who are engaged at an operational level to mitigate risk.

Your Key to Success

Résumés/CVs may list your experience and knowledge, but an ISACA® certification designation after your name proves it.

Your Key to Success

Want to know more?

ISACA and ITGI3701 Algonquin RoadSuite 1010Rolling Meadows, IL 60008 USA

Phone: +1.847.660.5660Fax: +1.847.253.1443E-mail: certification@isaca.orgWeb site: www.isaca.org

ISACA – Sofia Chapter7A Craf Ignatiev Str.1000 SofiaBulgaria

Phone: +359.88.866.9490

E-mail: mail@isaca-sofia.orgWeb site: www.isaca-sofia.org

Thank you!