may 9, 2014 certifications panel - infosecbc · certifications panel may 9, 2014. ... cisa practice...
TRANSCRIPT
CISSPRob Slade
[email protected]@vcn.bc.ca
http://victoria.tc.ca/techrev/rms.htm
http://twitter.com/rsladehttp://blogs.securiteam.com/index.php/archives/author/p1/
communicationsmanagementarchitecture
access controlBCP
physicalapplications
telecomm and networkingoperations
law and investigationcryptography
CISSPRob Slade
[email protected]@vcn.bc.ca
http://victoria.tc.ca/techrev/rms.htm
http://twitter.com/rsladehttp://blogs.securiteam.com/index.php/archives/author/p1/
PACC OVERVIEW
Established in 2002 Canada's leading organization dedicated to
privacy and access in the private & public sectorsNational, Non-profit, Independent, Non-partisan Outreach and advancement of awareness about
data privacy and access to information in CanadaRobust professional certification programs based
on demonstrable skills, experience & education
CALL FOR ACTION
The solution requires the professionalization of access personnel, through the establishment of a formal training program and certification standards.
Special Report to ParliamentFebruary 2009
Robert MarleauInformation Commissioner of Canada
2007-2009
MULTIPLE DISCIPLINES
Domains of knowledge and practice Access to Information knowledge and skills Privacy knowledge and skills Access and Privacy Management Access and Privacy Law
PACC PROFESSIONAL DESIGNATIONS
Meaningful based on core competencies consistent with ISO/IEC 17024:2003
Progressive with career entry level to Dept. Head / CPO
Recognizes specialization Associate and Chartered levels
Accessible and Achievable full-time or part-time practitioners
Available and Applicable private sector, public sector and non-profit sector practitioners
PACC PROFESSIONAL DESIGNATIONS
Certification requirements:
knowledge, skill, experience, competence References and corroboration commitment to Professional Code of Ethics commitment to continuing education and
professional development PACC membership
WANT TO LEARN MORE?
Sharon Polsky MAPPPACC [email protected]
Eric Lawton MAPPDirector, Professional [email protected]
Please visit our website or call us toll-free
www.PACC-CCAP.ca
1.877.746.PACC — 1.877.746.7222
EnCE®
• Developed by Guidance Software in 2001 to meet the needs of its customer base
• Demonstrates the ability to use the EnCase® Computer Forensic software and an understanding of computer forensic concepts in general
EnCE®
Advantages: 1. Demonstrates a proven ability to use the
software2. Widely recognized and a requirement for
most Computer Forensic jobs3. No heavy investment into training4. Relatively inexpensive ($225 USD) with $75
renewal every three years
EnCE®
Disadvantages/Drawbacks1. Not vendor-neutral
- Consider (in addition to EnCE ®), a certification like GCFA (SANS) CCE, or CFCE (IACIS)
Obtaining the EnCE®
• Open to Public & Private Sector• Application requires 64 hours of Computer
Forensic Training or 12 months of experience in Computer Forensics
• Two Phases: Written and Practical• Must score 80% and 85%, respectively, on
both phases to obtain certification• Renewal every 3 years, 32 CPE Credits
EnCE®
• EFS E-Forensic Services Websitehttp://www.e-forensic.ca/
• Guidance Software® Websitehttp://www.guidancesoftware.com/
• Megan Ritchie, B.Sc., EnCE, CFCE, CISSP, C|[email protected]
ISACA FACTS
• Founded in 1969 as the EDP Auditors Association
• Since 1978, CISA has been a globally accepted standard of competency among IS audit, control, assurance and security professionals.
• More than 115,000 members in over 180 countries
• More than 200 chapters worldwide
ANSI ACCREDITATION
The American National Standards Institute (ANSI) has accredited the CISA certification under ISO/IEC 17024:2003.
Accreditation by ANSI signifies that ISACA’s procedures meet ANSI’s essential requirements for openness, balance, consensus and due process.
WHY BECOME A CISA?
Enhanced Knowledge and Skills
To demonstrate your willingness to improve your technical knowledge and skills
To demonstrate to management your proficiency toward organizational excellence
Career Advancement
To obtain credentials that employers seek
To enhance your professional image
Worldwide Recognition
To be included with over 100,000 other professionals who have gained the CISA designation, since CISAs inception, worldwide
CISA IN THE WORKPLACE
• Just over 2,700 are employed in organizations as the CEO, CFO or equivalent executive position.
• More than 2,400 serve as chief audit executives, audit partners or audit heads.
• Over 2,600 serve as CIOs, CISOs, or chief compliance, risk or privacy officers.
• Almost 9,500 are employed as security directors, managers or consultants and related staff.
• More than 14,000 are employed as IT directors, managers, consultants and related staff.
• Over 29,000 serve as audit directors, managers or consultants and auditors (IT and non-IT).
CISA PROGRAM RECOGNITIONS - 2013
Per Foote study: Skills and certifications that gained 10% or more in market value in the calendar quarter ending 1 January 2014 vs. prior quarter: CGEIT. These IT certifications are among those earning the highest pay premiums (surveyed 1 October 2013 through 1 January 2014). Tied for third: CGEIT. Tied for fourth: CISM. Tied for fifth: CRISC. Tied for sixth: CISA.
All four ISACA credentials (CISA, CISM, CGEIT, CRISC) are among the highest-paying IT certifications in the Foote Partners IT Skills and Certifications pay Index™ for 1 October 2013 – 1 January 2014.
Based on the 2014 IT Skills and Salary Survey conducted by Global Knowledge and Penton and completed in October 2013, CISA was identified as the third top paying certification.
SC Magazine selected CISA as a finalist of the 2013 “Best Professional Certification Program” in the Professional Awards category for the third year in a row. CISA was named a finalist by a panel of chief information security officers (CISOs) at major corporations and large public-sector organizations. CISA won the Best Professional Certification Program award in 2009.
CISA JOB PRACTICE AREAS(EFFECTIVE 2011)
Domain 1 – The Process of Auditing Information Systems (14%)
Provide audit services in accordance with IT audit standards to assist the organization in protecting and controlling information systems.
Domain 2 – Governance and Management of IT (14%)
Provide assurance that the necessary leadership and organization structure and processes are in place to achieve objectives and to support the organization's strategy.
Domain 3 – Information Systems Acquisition, Development, and Implementation (19%)
Provide assurance that the practices for the acquisition, development, testing, and implementation of information systems meet the organization’s strategies and objectives.
CISA JOB PRACTICE AREAS (EFFECTIVE 2011, CONTINUED)
Domain 4 – Information Systems Operations, Maintenance and Support – (23%)
Provide assurance that the processes for information systems operations, maintenance and support meet the organization’s strategies and objectives.
Domain 5 – Protection of Information Assets – (30%)
Provide assurance that the organization’s security policies, standards,procedures and controls ensure the confidentiality, integrity andavailability of information assets.
To view the complete CISA job practice, including task and knowledge statements visit:
www.isaca.org/cisajobpractice
CISA CERTIFICATION REQUIREMENTS
1. Earn a passing score on the CISA Exam
2. Submit verified evidence of a minimum of five years of verifiable IS audit, control or security experience (substitutions available)
3. Submit the CISA application (within 5 years of passing date) and receive approval (www.isaca.org/cisaapp)
4. Adhere to the ISACA Code of Professional Ethics
5. Abide by IS Auditing Standards as adopted by ISACA
6. Comply with continuing professional education policy (www.isaca.org/cisacpepolicy)
www.isaca.org/cisarequirements
TYPES OF QUESTIONS ON THE CISA EXAM
CISA Exam consists of 200 multiple choice questions administered over a four-hour session
Questions are designed to test practical knowledge and experience
Questions require the candidate to choose one best answer
Every question or statement has four options (answer choices)
QUALITY OF THE EXAM ENSURED BY
Job Practice Analysis Study: Determines content
Test Development Standards: Ensures high standards for the development and review of questions
Review Process: Provides two reviews of questions by independent committees before acceptance into pool
Periodic Pool Cleaning: Ensures that questions in the pool are up-to-date by continuously reviewing questions
Statistical Analysis of Questions: Ensures quality questions and grading by analyzing exam statistics for each language
HOW TO STUDY FOR THE CISA EXAM
• Read the ISACA Exam Candidate Information Guide for details on exam day administration (www.isaca.org/examguide)
• Visit www.isaca.org/cisaprep for study information
• Study the CISA Review Manual
• Work through the CISA Review Questions, Answers & Explanations Manual, Supplement and CD
• Participate in an ISACA Chapter Review Course
• Read literature in areas where you need to strengthen skills
• Spend time studying the complement of your field: If external auditor, study IS audit from the internal audit perspective and vice-versa
• Join or organize study groups
• Take the ISACA CISA online review course, available at www.isaca.org/elearningcampus
2014 CISA STUDY MATERIALS
ISACA Members Non-Members
CISA Review Manual 2014 (US) $105.00 (US) $135.00
CISA Review Questions, Answers & (US) $100.00 (US) $130.00Explanations Manual 2013
CISA Review Questions, Answers & (US) $40.00 (US) $60.00Explanations Manual 2014 Supplement
CISA Practice Question Database V14 (US) $185.00 (US) $225.00
*******
For a complete listing of materials including product descriptions visit: www.isaca.org/cisabooks
Additional resources to assist in studying for the exam visit: www.isaca.org/examprep
ADMINISTRATION OF THE ISACA EXAMS
2014 Exam Dates:Saturday 14 June 2014*Saturday 6 September 2014 (CISA and CISM only at limited
sites –www.isaca.org/sept2014sites)Saturday 13 December 2014
The CISA exam is offered in 10 languages* and at over 250 locations worldwideOffered in every city where there is an ISACA chapter or a large interest in individuals sitting for the examPassing mark of 450 on a common scaled scale of 200 to 800Exam admission tickets are issued via email and available for download in the constituent profile approximately 4 weeks prior to the exam date. The admission ticket includes the exam venue address and reporting time.
*CISA Exam– The CISA German, Hebrew, or Italian language will only be available at the June 2014 exam sitting.
2014 REGISTRATION FEES EXAM: 13 DECEMBER 2014
Early Registration - On or before 20 August 2014:• ISACA Member: US $420.00• Non-Member: US $600.00
Final Registration - After 20 August, but on or before 24 October 2014:• ISACA Member: US $470.00• Non-Member: US $650.00
Register Online at www.isaca.org/examreg and save $$• Online registration via the ISACA web site is encouraged, as candidates will save US $75. Non-members can join ISACA at the same time, which maximizes their savings.
Exam registration fees must be paid in full to sit for the exams. Those whose exam registration fees are not paid will not be sent an exam admission ticket and their registration will be cancelled.
CONTINUING PROFESSIONAL EDUCATION (CPE) REQUIREMENTS
1. Once certified, the certification must be renewed annually. Maintaining the certification requires:
• Earning and reporting an annual minimum of 20 hours of continuing professional education
• Earning and reporting a minimum of 120 hours of continuing education for each fixed three-year period (each 3-year cycle)
• Paying the annual certification maintenance fee • Responding to and submitting required documentation of continuing
education activities if selected for an annual audit• Comply with the ISACA Code of Professional Ethics
(www.isaca.org/ethics)
ISACA membership provides many CPE opportunities which can assist you with meeting this requirement. For more details visit www.isaca.org/cpe.
CPE policy available at: www.isaca.org/cisacpepolicy
ISACA CODE OF PROFESSIONAL ETHICS
ISACA sets forth this Code of Professional Ethics to guide the professional and personal conduct of members of the association and/or its certification holders. Failure to comply with this Code of Professional Ethics can result in an investigation into a member's or certification holder's conduct and, ultimately, in disciplinary measures.
Members and ISACA certification holders shall:
1. Support the implementation of, and encourage compliance with, appropriate standards and procedures for the effective governance and management of enterprise information systems and technology, including: audit, control, security and risk management.
2. Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards.
3. Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of conduct and character, and not discrediting their profession or the Association.
www.isaca.org/ethics
ISACA CODE OF PROFESSIONAL ETHICS(CONTINUED)
Members and ISACA certification holders shall:
4. Maintain the privacy and confidentiality of information obtained in the course of their activities unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.
5. Maintain competency in their respective fields and agree to undertake only those activities they can reasonably expect to complete with the necessary skills, knowledge and competence.
6. Inform appropriate parties of the results of work performed including the disclosure of all significant facts known to them that, if not disclosed, may distort the reporting of the results.
7. Support the professional education of stakeholders in enhancing their understanding of the governance and management of enterprise information systems and technology, including: audit, control, security and risk management.
www.isaca.org/ethics
WANT TO KNOW MORE?
Please contact us at:
ISACA Vancouver ChapterP.O. Box 48894Bentall CentreVancouver, BC V7X A18 E-mail: [email protected] Web site: www.isaca-vancouver.org Today’s presenter: Elson Kung ([email protected])
ISACA3701 Algonquin RoadSuite 1010Rolling Meadows, IL 60008 USA Phone: +1.847.660.5660 Fax: +1.847.253.1443 E-mail: [email protected] Web site: www.isaca.org
George PajariCISSP, CISM, CSSK
@orangehazmatCISM, Certified Information Security Manager, and related logo are trade marks or registered trade marks of ISACA in the United States and other countries. CSACloud Security Alliance, CCSK, and Certificate of Cloud Security Knowledge are trade marks or registered trade marks of the Cloud Security Alliance in the United States and other countries. CISSP is a registered or registration-pending trademark and certification mark of (ISC)², Inc. All marks are used here for identification purposes only and no affiliation or endorsement is to be implied or construed.
ISACA CISM
Why Studying for a Certification is
Good for You
What the CISM Covers
How CISSP & CISM Differ
How to Ace the Exam
How to Get Cert Wallpaper (CCSK)
Why Studying for a Cert is Good Forces you to study the known unknowns
Helps you discover your
unknown unknowns
Brings discipline and completeness
Helps provide credibility
✤ A waypoint, not a destination ✤
CISM Scope Information Security, not just
Information Systems Security
Management focus
A 50,000 foot approach
CISM Domains1) Information Security Governance (24%)
CISSP #3
2) Information Risk Management and
Compliance (33%) CISSP #3 & #9
3) Information Security Program Development
and Management (25%)
4) Information Security Incident Management
(18%) CISSP #7
Preparing for (any) Exam know thyself
make sure you are ready
view it as a process, not a destination
lean on your friends
set a schedule; keep the plan
Preparing for the CISM Exam understand that the ISACA CISM
Review Manual is an outline, not a BoK
build your own glossary
read reference material
(COBIT, COSO, SABSA, NIST)
get the sample question books
Certificate of Cloud Security Knowledge
63
Wallpaper
●open book●unproctored●60 ques. / 90 mins●no CPEs req'd
CASP
Certificate of Ability toSearch PDFs
Orvin Lau• CISSP• CISM, CRISC• ISO 27001 Lead Auditor certification• QSA (expired)• CPISM (now defunct)• SCF
t. +1 (604) 816.3960e. [email protected]
What is the SCF?
• First of three SABSA Certification Levels from the SABSA Institute1. SCF = SABSA Chartered Architect at Foundation
Level• Multiple choice closed-book exam
2. SCP = SABSA Chartered Practitioner• Written open-book exam
3. SCM = SABSA Chartered Master• Written open-book exam + Masters’ thesis
What is SABSA
• Sherwood Applied Business Security Architecture
• Developed by John Sherwood and David Lynas• Methodology for developing enterprise
information security architectures– Business-driven– Risk and opportunity focused
What is SABSA (cont’d)
• Number of integrated frameworks, models, methods and processes– Traceably support critical business initiatives
Layered Architecture ViewsThe Business View Contextual Security Architecture
The Architect’s View Conceptual Security Architecture
The Designer’s View Logical Security Architecture
The Builder’s View Physical Security Architecture
The Tradesman’s View Component Security Architecture
The Service Manager’s View Security Service Management Architecture
SABSA MatrixASSETS (What) MOTIVATION (Why) PROCESS (How) PEOPLE (Who) LOCATION (Where) TIME (When)
Contextual Security Architecture
Business Decisions Business Risk Business Processes Business Governance Business Geography Business Time Dependence
Taxonomy of Business Assets, including Goals & Objectives
Opportunities & Threats Inventory
Inventory of Operational Processes
Organisational Structure & the Extended Enterprise
Inventory of Buildings, Sites, Territories, Jurisdictions, etc.
Time dependencies of business objectives
Conceptual Security Architecture
Business Knowledge & Risk Strategy
Risk Management Objectives
Strategies for Process Assurance
Roles & Responsibilities Domain Framework Time Management Framework
Business Attributes Profile
Enablement & Control Objectives; Policy Architecture
Process Mapping Framework; Architectural Strategies for ICT
Owners, Custodians and Users; Service Providers & Customers
Security Domain Concepts & Framework
Through-Life Risk Management Framework
Logical Security Architecture
Information Assets Risk Management Policies
Process Maps & Services Entity & Trust Framework
Domain Maps Calendar & Timetable
Inventory of Information Assets
Domain Policies Information Flows; Functional Transformations; Service Oriented Architecture
Entity Schema; Trust Models; Privilege Profiles
Domain Definitions; Inter-domain associations & interactions
Start Times, Lifetimes & Deadlines
Physical Security Architecture
Data Assets Risk Management Practices
Process Mechanisms Human Interface ICT Infrastructure Processing Schedule
Data Dictionary & Data Inventory
Risk Management Rules & Procedures
Applications; Middleware; Systems; Security Mechanisms
User Interface to ICT Systems; Access Control Systems
Host Platforms, Layout & Networks
Timing & Sequencing of Processes and Sessions
Component Security Architecture
ICT Components Risk Management Tools & Standards
Process Tools & Standards
Personnel Management Tools & Standards
Locator Tools & Standards
Step Timing & Sequencing Tools
ICT Products, including Data Repositories and Processors
Risk Analysis Tools; Risk Registers; Risk Monitoring and Reporting Tools
Tools and Protocols for Process Delivery
Identities; Job Descriptions; Roles; Functions; Actions & Access Control Lists
Nodes, Addresses and other Locators
Time Schedules; Clocks, Timers & Interrupts
Security Service Management Architecture
Service Delivery Management
Operational Risk Management
Process Delivery Management
Personnel Management Management of Environment
Time & Performance Management
Assurance of Operational Continuity & Excellence
Risk Assessment; Risk Monitoring & Reporting; Risk Treatment
Management & Support of Systems, Applications & Services
Account Provisioning; User Support Management
Management of Buildings, Sites, Platforms & Networks
Management of Calendar and Timetable
Ram KodaliPMP, CISSP, CISM, CISA, COBIT, CGEITSABSA Security Chartered Architect (SCF)ITIL v3 Expert, Six Sigma Green BeltISO/IEC 27001 and ISO/IEC 20000 Auditor
ITIL ® – brief introduction and certification details | 1
• Very widely adopted approach for IT Service Management in the world.
• Provides a practical, no-nonsense framework for identifying, planning, delivering and supporting IT services to the business.
• Advocates that IT services must be aligned to the needs of the business
• Provides guidance to organizations on how to use IT as a tool to facilitate business change, transformation and growth
• Offer huge range of benefits that include: improved IT services reduced costs improved customer satisfaction through a more professional approach to service
delivery improved productivity improved use of skills and experience improved delivery of third party service
What is ITIL®? | 2
Enabling organizations to deliver appropriate IT services and continually ensure they are meeting business goals and delivering benefits
Service Strategy• Strategy
management for IT services
• Service portfolio management
• Financial management
• Demand management
• Business relationship management
Service Design• Design coordination• Service catalogue
management• Service level
management• Availability management• Capacity management• IT Service continuity
management• Information security
management• Supplier management
Service Transition• Transition planning and
support• Change management• Service asset and
configuration management
• Release and deployment management
• Service validation and testing
• Change evaluation• Knowledge management
Service Operation• Event Management• Incident
management• Request fulfillment• Problem
management• Access
management
Continual Service Improvement• Seven-step
improvement process
• The ITIL best practices are detailed within five core publications• These five core guides map the entire ITIL Service Lifecycle
• beginning with identification of customer needs and drivers of IT requirements,
• to the design and implementation of the service into operation • and finally on to monitoring and continual improvement of service
How ITIL® is structured? | 3
• On 1 July 2013 'AXELOS' was announced as the new joint venture company,• created by the Cabinet Office on behalf of Her Majesty's Government (HMG) and
Capita plc• to run the Best Management Practice portfolio, that includes ITIL® and PRINCE2®
• AXELOS has complete ownership of intellectual property of the whole Best Management Practice portfolio –
Who owns ITIL® | 4
The modular, tiered structure of the qualification offers candidates the flexibility in relating to the different disciplines and areas of ITIL,and makes ITIL qualifications more accessible and achievable.
• Provides a modular approach to the ITIL framework• comprised of a series of qualifications • focused on different aspects of ITIL Best Practice, • to various degrees of depth and detail
• Levels of ITIL qualifications:• ITIL Foundation• ITIL Intermediate level• ITIL Managing Across the Lifecycle• ITIL Expert Level• ITIL Master
ITIL® Qualification Scheme | 5
Examination Institutes:An Examination Institute (EI) is an organization accredited by AXELOS and permitted to operate an examination scheme through a network of Accredited Training Organizations, and Accredited Trainers with Accredited materials.The Examination Institutes are:
APMG InternationalBCS, The Chartered Institute for ITCSMEDANSK ITDF Certifiering ABEXINLoyalist Certification ServicesPEOPLECERTTÜV SÜD
Accredited Training Organizations:Global KnowledgeHP EducationQuint RedwoodService Management Art, and many more… Complete list
Training and Examinations | 6
IAPP
International Association of Privacy Professionals
Not-for-profit established in 2000 New Hampshire, USA >14,000 members in 83 countries Privacy Communities IAPP Canada IAPP Europe IAPP ANZ (Australia and New Zealand)
Helps define, support and improve the privacy profession through networking, education and certification
2014-05-09 PC Lacroix Consulting82
PACC
Privacy and Access Council of Canada (formerly CAPAPA)
Established 2013
1. Associate Access & Privacy Professional (AAPP)2. Certified Access & Privacy Professional (CAPP)3. Master Access & Privacy Professional (MAPP)
“Represents privacy and access practitioners and certified professionals across Canada, and is the certifying body representing leadership and excellence in information privacy, access to information, and data governance”
2014-05-09 PC Lacroix Consulting83
IAPP Certifications
Certified Information Privacy Professional
1. CIPP/Canada
2. CIPP/US
3. CIPP/Europe
4. CIPP/IT
5. CIPP/Gov (US government)
6. CIPM (Certified Information Privacy Manager)
2014-05-09 PC Lacroix Consulting84
Certification Requirements
To write any certification must first pass a foundational exam
Each certification requires a specialized body of knowledge Textbooks, training sessions, test exams
Case studies, jurisdictional law, practical application
Certification exams are proctored by an IAPP member
Continuing Education credits required to maintain certificate
2014-05-09 PC Lacroix Consulting85
Why an IAPP Privacy Certification?
IAPP certification is the global standard for privacy and data protection professionals
Brand strength of credential in over 83 countries Most often preferred (or required) on job postings
Continuing Education opportunities Canadian Knowledge Net Canadian Privacy Symposium International IAPP conferences, summits, education institutes Resource availability – papers, templates, forums, etc.
Professional Networking Privacy After Hours
2014-05-09 PC Lacroix Consulting86
BC Security Services Act
Defines “security work” as:• armoured car guard services• locksmiths• private investigators• security alarm services• security consultants
– Advises on protecting property, including electronic data
• security guards• body armour salespersons
Licensing
A license from the Ministry of Justice required for security workers unless:• exempt by regulation, or• determined to be incidental by the Registrar
of Security Services
IT security consultants are exempt under the Security Services Regulation, section 2(i).
What if there are physical aspects?Type of security work with physical aspects Need a license?
PCI QSA auditing subrequirements under PCI DSS Requirement 9 (Restrict physical access to cardholder data)
No – considered to be incidental by the Registrar
PCI consultant advising on installing a video surveillance system
Yes – beyond the IT security exemption
IT forensics work No – does not engage in other aspectsof the work of private investigators
Work on SCADA systems Maybe – check with the Ministry to determine if the work is incidental