ISACA Webcram CISA & CISM. Sean Hanna

Transcription

1 ISACA Webcram CISA & CISM Sean Hanna

2 Sean Hanna GRC & Cyber Warfare Consultant EC-Council Global Security Trainer of the Year 2007, 2008, 2010 and again in 2011 EC Council Circle of Excellence Member 2012 LPT, ECSA, CEH, CHFI, NSA GCIH, GCIA, GSEC, CISSP CISM, CISA, CGEIT, PRINCE2

3 Let Start!

4 CISA & CISM These are NOT that different! They are two sides of the one coin. CISM Is the IS Department Manager Implements & Manages IS/IT GRC CISA Provides the Assurance function on IS/IT GRC Understands and Measures

5 The EXAMs You need to understand that both exams require the SAME basic knowledge: Governance Risk Compliance COBIT ITAF Business Management Tools & Technique Controls

6 The Difference Once you know the common basics Then and only then You can move on to the unique requirements of each exam!

7 Information Security Governance

8 Governance What is Governance? Where does it comes from? Who owns it?

9 Risk What is Risk? Where does it comes from? Who owns it?

10 Compliance What is Compliance? Where does it comes from? Who owns it?

11 Governance, Risk and Compliance GRC make up the responsibilities of the SMT It is the duty of SMT to understand GRC within their environment

12 Information Security GRC Is but one form of GRC No more important No less important Considers the Data, Data Systems and Data Infrastructure And everything that might impact DS&I

13 SMT s Role To ensure the success of the business by Understanding the business requirements Understanding the business goals Understanding the business risks Provide the strategy and direction Provide the sponsorship and budget Provide the oversight and control

14 SMT owns all GRC

15 SMT owns IS GRC

16 A MODEL FOR OWNERSHIP

17 How does SMT own GRC? SMT

18 How does SMT own GRC? Policy SMT

19 How does SMT own GRC? Policy SMT

20 How does SMT own GRC? Policy SMT

21 How does SMT own GRC? Policy SMT Standards

22 How does SMT own GRC? Policy SMT Standards

23 How does SMT own GRC? Policy SMT Standards

24 How does SMT own GRC? Policy SMT Standards Guidelines

25 How does SMT own GRC? Policy SMT Standards Guidelines

26 How does SMT own GRC? Policy SMT Standards Guidelines

27 How does SMT own GRC? Policy Procedures SMT Standards Guidelines

28 How does SMT own GRC? Policy Procedures SMT Standards Guidelines

29 How does SMT own GRC? Policy Procedures SMT Standards Guidelines

30 HOW DO YOU WIN?

31 How do you win? To succeed you must know what success looks like To succeed you must measure success To succeed you must verify your measures

32 How does SMT manage RISK? SMT

33 How does SMT manage RISK? Controls SMT

34 How does SMT manage RISK? Controls SMT

35 How does SMT manage RISK? Controls SMT Audits

36 How does SMT manage RISK? Controls SMT Audits

37 How does SMT manage RISK? Controls SMT Audits Dashboards

38 How does SMT manage RISK? Controls SMT Audits Dashboards

39 How does SMT manage RISK? Controls Assurance SMT Audits Dashboards

40 How does SMT manage RISK? Controls Assurance SMT Audits Dashboards

41 SMT BPR

42 Re-engineering how SMT functions COBIT provides many tools It suggests a simple but effective structure

43 Structure IT Department Functional Business Units IS Steering Programme Management IS Committee Audit Function SMT

44 CISA Audit

45 CISA CISA is all about audit: General audit principles Using a Governance model for business management Managing project risk during development and acquisition Managing operational risk during operation life cycle Understand the vast array of controls

46 CISA Audit is all about assurance Delivering a repeatable, trusted service The Auditor must be: Independent Trustworthy Subject matter expert on processes

47 The CISA Answer Rules Evidence is the bases of all audit results Everything should be based on risk principles The Business always wins Every process needs to be verified CSA and GAS help with reducing workload

48 The CISA Specials You really need to know the tools of the trade Sampling techniques Measuring techniques Reporting techniques Technical details on Controls do come up: Software development methods Software testing methods Audit controls

49 CISM Management

50 CISM CISM is all about Management: Setting up and running a department Using a Governance model for business management Managing project risk during development and acquisition Managing operational risk during operation life cycle BCP, BIA and DRP Understanding the vast array of controls

51 CISM Management is about translating business requirements into measureable results while managing risk in costeffective way Delivering a repeatable, trusted service The Manager must be: A Business leader A subject matter expert Under the whole business and its goals and objectives Be able to influence and deliver results

52 The CISM Answer Rules Strategy is at the heart of a governance led business Everything should be based on risk principles The Business always wins Don t do anything unless it can be measured Your success is all about the audit report

53 The CISM Specials You really need to know the tools of the trade Measuring techniques Reporting techniques Technical details on Controls do come up: Virtually any Control can, and come up!

54 The Exam Day

55 The Exam Day Doors close at 08:30, make sure you re in! You must have government issued, photographic ID Don t take much in to the room with you Wear a jacket/fleece, something you can off and hang on the back of your seat Drink plenty of water before the start Make sure to take a restroom break

56 How to answer the questions Start at the start Work your way through Get to the end Walk out! There s no magic method that will help!

57 One step at a time Take each question as it comes Don t try to pick the right answer Eliminate the 2 wrong answers first Re-read the question and the 2 answers Use the basics prinicpals to help you choose Pick, move on and What ever you do, don t think back! Always move forward.

58 At the end of the exam You will be leaving early Its not really a 4 hour exam Be prepared to not know how you ve done Whatever you do, don t check your answers!! When you re finished, leave

59 How to pass 1.UNDERSTAND 2.LEARN 3.PRACTICE

60 Thank You and good luck!