Certifications for IT Audit and IT Governance type jobs whats best?

TheFORCETheFORCE Senior MemberMember Posts: 2,298 ■■■■■■■■□□
Does anyone have any input on the above question?
I'm thinking CISSP is a good start but also CISA and CISM would add more value and broaden your knowledge add ITIL into that and you have the full package. That's my opinion but wanted to hear other people that work in a similar job what experience they have or what they recommend.
I'm asking this question because I'd like to take any of the above and hopefully gain a bit more authority and respect for my recommendation, which right now it seems like they are not being taken seriously, then again it might just be my approach or just the company culture where they don't care about any processes.

For the people in those positions how seriously are you being taken when you find a flaw and recomend a solution and how long does it take to implement? It seems like I'm facing uphill battles for everything and can't seem to get a win lol
icon_sad.gif

Comments

  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,426 Mod
    Certifications are good for learning journey, but being taken seriously has a lot to do with the way you present yourself AND your environment.

    Just be firm, be confident, and show that you know what you're doing...
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Check out my YouTube Channel!

  • 636-555-3226636-555-3226 Member Posts: 975 ■■■■■□□□□□
    If people don't take you seriously at your job then having a few extra letters in your email signature isn't going to change that. Knowing what you're talking about, standing firm if you know you're right and the others are wrong, and then proving you're right is how to earn the respect.
  • TheFORCETheFORCE Senior Member Member Posts: 2,298 ■■■■■■■■□□
    I understand that and I have experience in the field, for many years now. The thing is, the company is very small and there are no policies in place, no communication and basically everyone is doing whatever they want and IT is not taken seriously. No one follows any standards, they just do things because someone before them did them that way and no one is willing to make a change.
    How can i prove i am right when the things I'm trying to implement are not being implemented? I am very confident in my abilities and that's what frustrates me the most, to see a chaotic environment, trying to put some order and nothing changes.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Those kinds of loose cultures are difficult to turn around. However, maybe you can start small and implement a policy that has a high likelihood of positive net results (something as simple as a process that saves time). I think to have weight in a place like that, if you demonstate that your efforts result in something good, then others may be willing to listen.

    Let's say if you have a set of hosts or devices which don't follow any build standard, it reasons that they're more difficult to troubleshoot or track changes against. If you implement a baseline, it makes tracking/auditing changes easier and perhaps reduces troubleshooting turnarounds.

    Ultimately this all depends on how much authority or accountability your individual suborganization has. But if you're just a compliance checkbox ("Why yes, we do have an in-house auditor...") you'll need to figure out a strategy which works for the culture of your environment.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • JoJoCal19JoJoCal19 California Kid Mod Posts: 2,832 Mod
    Can you get buy in from senior or executive management? It's not hard to present a business case on why you should implement policies, procedures, best practices, controls, baselines, etc, etc. Show them in dollars and cents why those things should be implemented. Mention the wasted man hours and extra costs of doing things how they are done now. That should go a long way toward gaining you respect from at least the management level. If the management there does not care and they'd rather the inmates run the asylum, it's time to polish up your resume and bail.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • TheFORCETheFORCE Senior Member Member Posts: 2,298 ■■■■■■■■□□
    JoJoCal19 wrote: »
    Can you get buy in from senior or executive management? It's not hard to present a business case on why you should implement policies, procedures, best practices, controls, baselines, etc, etc. Show them in dollars and cents why those things should be implemented. Mention the wasted man hours and extra costs of doing things how they are done now. That should go a long way toward gaining you respect from at least the management level. If the management there does not care and they'd rather the inmates run the asylum, it's time to polish up your resume and bail.

    That's the thing. I can't bail yet, I'm only here for 4 months. I think that it can be a great place to work if things are done properly. I have send over some suggestions but like I mentioned things take to long to get done because there isn't accountability in the processes. No SLAs, no change management, nothing. I opened a request with the helpdeak 15 days ago, still havent received any updates on it.
  • BlackBeretBlackBeret Member Posts: 683 ■■■■■□□□□□
    JoJo is right, buy in from senior management is what you need to make change happen. The best way to connect with them is through money. Say you want to change a policy, why should they care? If everything is running fine right now why should they invest money in to doing things differently if it's not going to make them more money?

    I'm not an expert on compliance, but I'm sure you can find something such as SOX, HIPPA, PCI-DSS, etc that your company should be complying with. If not just consider the implications when PII is lost and focus on HR systems and customer databases. Develop a report of what happens when this information is just mishandled, not even a major breach, but a $250,000 fine for hishandling it. Then explain to them how you prevent that from happening through adherence to specific policies, and how you need to be able to audit those policies through the use of X. Tell them that you need to revise the policy to ensure compliance with X and prevent heavy fines and jail time.
  • TheFORCETheFORCE Senior Member Member Posts: 2,298 ■■■■■■■■□□
    BlackBeret wrote: »
    JoJo is right, buy in from senior management is what you need to make change happen. The best way to connect with them is through money. Say you want to change a policy, why should they care? If everything is running fine right now why should they invest money in to doing things differently if it's not going to make them more money?

    I'm not an expert on compliance, but I'm sure you can find something such as SOX, HIPPA, PCI-DSS, etc that your company should be complying with. If not just consider the implications when PII is lost and focus on HR systems and customer databases. Develop a report of what happens when this information is just mishandled, not even a major breach, but a $250,000 fine for hishandling it. Then explain to them how you prevent that from happening through adherence to specific policies, and how you need to be able to audit those policies through the use of X. Tell them that you need to revise the policy to ensure compliance with X and prevent heavy fines and jail time.

    You are right I could write up something like that. The fact is I don't have the visibility into the operation side. Like I mentioned earlier, IT has no idea how many applications there are, who manages them, who supports them etc. As an example I just found about an app where all the accounts were created by a generic id that the Helpdesk uses which has not had its password changed in over a year! On top of that, theres no clarification who those ids belong to because the profile information were never fully completed. I mean seriously? SOX would have a field day with simple things like that.
  • beadsbeads Senior Member Member Posts: 1,522 ■■■■■■■■■□
    You have no hope of defending unless you know the territory itself. Clearly, you don't have senior management's blessing either ignorance is bliss approach or your organization has grown too big to be acting like a smaller business. You mention SOX like a small task - its not - you either are or are not SOX compliant and probably the wrong example here.

    Suggest looking at a compliance everyone is responsible - HIPAA. HR needs to follow good HIPAA compliance or possibly be sued out of corporate existence in a matter of one court appearance. HR by the way is actually more responsible for the culture of compliance than senior or executive management any day of the week. Not that executives can't get in the way but HR sets both the standard and how compliance is viewed - Executives just give the OK and get peoples initial attention.

    Start with HIPAA compliance first, its well known and applies to everyone. Then work your way through the corporate chain with PPGS.

    - b/eads

    - b/eads
  • TheFORCETheFORCE Senior Member Member Posts: 2,298 ■■■■■■■■□□
    Oh Beads don't get me started on how HR works here. I'm pulling my hair just to communicate with them.
Sign In or Register to comment.