Certifications for IT Audit and IT Governance type jobs whats best?

Does anyone have any input on the above question?
I'm thinking CISSP is a good start but also CISA and CISM would add more value and broaden your knowledge add ITIL into that and you have the full package. That's my opinion but wanted to hear other people that work in a similar job what experience they have or what they recommend.
I'm asking this question because I'd like to take any of the above and hopefully gain a bit more authority and respect for my recommendation, which right now it seems like they are not being taken seriously, then again it might just be my approach or just the company culture where they don't care about any processes.
For the people in those positions how seriously are you being taken when you find a flaw and recomend a solution and how long does it take to implement? It seems like I'm facing uphill battles for everything and can't seem to get a win lol
I'm thinking CISSP is a good start but also CISA and CISM would add more value and broaden your knowledge add ITIL into that and you have the full package. That's my opinion but wanted to hear other people that work in a similar job what experience they have or what they recommend.
I'm asking this question because I'd like to take any of the above and hopefully gain a bit more authority and respect for my recommendation, which right now it seems like they are not being taken seriously, then again it might just be my approach or just the company culture where they don't care about any processes.
For the people in those positions how seriously are you being taken when you find a flaw and recomend a solution and how long does it take to implement? It seems like I'm facing uphill battles for everything and can't seem to get a win lol

Comments
Just be firm, be confident, and show that you know what you're doing...
How can i prove i am right when the things I'm trying to implement are not being implemented? I am very confident in my abilities and that's what frustrates me the most, to see a chaotic environment, trying to put some order and nothing changes.
Let's say if you have a set of hosts or devices which don't follow any build standard, it reasons that they're more difficult to troubleshoot or track changes against. If you implement a baseline, it makes tracking/auditing changes easier and perhaps reduces troubleshooting turnarounds.
Ultimately this all depends on how much authority or accountability your individual suborganization has. But if you're just a compliance checkbox ("Why yes, we do have an in-house auditor...") you'll need to figure out a strategy which works for the culture of your environment.
Currently Working On: Python, OSCP Prep
Next Up: OSCP
Studying: Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
That's the thing. I can't bail yet, I'm only here for 4 months. I think that it can be a great place to work if things are done properly. I have send over some suggestions but like I mentioned things take to long to get done because there isn't accountability in the processes. No SLAs, no change management, nothing. I opened a request with the helpdeak 15 days ago, still havent received any updates on it.
I'm not an expert on compliance, but I'm sure you can find something such as SOX, HIPPA, PCI-DSS, etc that your company should be complying with. If not just consider the implications when PII is lost and focus on HR systems and customer databases. Develop a report of what happens when this information is just mishandled, not even a major breach, but a $250,000 fine for hishandling it. Then explain to them how you prevent that from happening through adherence to specific policies, and how you need to be able to audit those policies through the use of X. Tell them that you need to revise the policy to ensure compliance with X and prevent heavy fines and jail time.
You are right I could write up something like that. The fact is I don't have the visibility into the operation side. Like I mentioned earlier, IT has no idea how many applications there are, who manages them, who supports them etc. As an example I just found about an app where all the accounts were created by a generic id that the Helpdesk uses which has not had its password changed in over a year! On top of that, theres no clarification who those ids belong to because the profile information were never fully completed. I mean seriously? SOX would have a field day with simple things like that.
Suggest looking at a compliance everyone is responsible - HIPAA. HR needs to follow good HIPAA compliance or possibly be sued out of corporate existence in a matter of one court appearance. HR by the way is actually more responsible for the culture of compliance than senior or executive management any day of the week. Not that executives can't get in the way but HR sets both the standard and how compliance is viewed - Executives just give the OK and get peoples initial attention.
Start with HIPAA compliance first, its well known and applies to everyone. Then work your way through the corporate chain with PPGS.
- b/eads
- b/eads