how to step in CISA or CISSP

Hi, I want to step into IT Security Audit field. currently I've experience in software testing/QA. Any advice on how can I get into the auditing field. I know for both certifications we need to have certain years of experience. But to get a related job should I first go ahead & prepare for one of the tests & may even attempt it. or should I first try to find a related job, which could be a bit hard due to lack of experience....

As some of you seems to have a lot of experience in this field, please provide me with your advice.

thanks
mir

Find more posts tagged with

Comments

shednik

your best bet would be to find a job related to auditing or maybe propose a project at work that encompasses some type of audit which you can preform internally to try and meet some set of standards ie SAS 70, SOX, ISO, etc..

sexion8

mirasimali wrote:

Hi, I want to step into IT Security Audit field. currently I've experience in software testing/QA. Any advice on how can I get into the auditing field. I know for both certifications we need to have certain years of experience. But to get a related job should I first go ahead & prepare for one of the tests & may even attempt it. or should I first try to find a related job, which could be a bit hard due to lack of experience....

As some of you seems to have a lot of experience in this field, please provide me with your advice.

thanks
mir

For the CISA:

A maximum of one year of information systems experience OR one year of financial or operational auditing experience can be substituted for one year of information systems auditing, control or security experience.

Judging on your post, you'd likely want to get involved with this over the CISM which is a much broader and altogether different type of certification. Lest you come back around and have confused IT Auditing with Information Auditing. What is your bottom line, a CISA is similar to a CPA for information systems. There is less "auditing" on the technical side - meaning don't expect to be performing penetration testing tasks or security audits with tools much.

keatron

In a nutshell it can be kinda summed up this way.

CISSP guys will say "secure the systems and information and this is how it should be done". Then they'll hire or contract with specialists that have experience in whatever systems and types of information need to be secured to do the job, while over seeing the entire process.

CISA guys will come after the fact and say "prove to me these systems are secure, and here is the criteria and metrics you must use to prove it" Then again, depending on what's required, specialists that have experience in designing, or implementing those types of auditing systems or processes will be put to task.

Penetration testers (like myself) might be involved in both phases. And the requirements for the pentest could vary greatly. For example the below is part of a typical request from auditors.

Internal Penetration Test Service
· 1 location, no credentials
$15,000/year
$13,500/year
$12,000/year
Internal Penetration Test Service
· 1 location, 1 credential
$18,000/year
$16,200/year
$14,400/year
Internal Penetration Test Service
· 1 location, 2 credentials
$21,000/year
$18,900/year
$16,800/year

This is taken directly from a contract request I received yesterday. They are basically requesting a whitebox test here (common for auditing purposes). There are three different systems here in three different locations. By credentials they are referring to basically giving you a regular user account to begin with and having you see how much information you can get to with just those credentials, how much those privileges can be escalated etc. The pricing you see reflects spending something like 40 hours per year trying to do just that. The different prices reflect different options (which I purposely left out in case competitors are snooping here...lol).

Now first let's be realistic and understand that compliance, and secure are not synonymous. The pentests above are ones I'd send 2nd year employees out to perform (shadowed by entry level personnel). We do a good bit of these, but our primary focus is still blackbox or zero knowledge tests. Where they'll just say, here's the company name, go get em!

So I guess one question you could ask yourself is do you think you'd get more joy out of finding holes in systems (pentesters/CISSP), or would you get more joy out of finding holes in processes and metrics (auditors/CISA/pentesters)? Both are exciting and rewarding career choices.

jayesh_vn

Hi Guys,

For over a year, I am working in couple of areas namely ISO 27001 implementation and audits, Business Continuity Planning. Recently, I have entered into a more technical area i.e firewall implementation and its day to day operations. I have a MSc in infosec(London) additionally i have obtained a couple of certifications like ISO 27001 LA, CEH. This year I am looking at going for a big certification in the likes of CISSP/CISA. However, I am confused which one to focus on with respect to my profile.

Please, can anyone advice.

Thanks in advance

paul78

Hello and welcome to TE.

Do you have a preference for what you are interested in pursuing in the future? Why not do both if you plan to stay in an audit-related role. If you have a fairly broad infosec experience, do the CISSP first. But you described that you came from an audit and bcp background so you may find that doing the CISA first may be easier to start.

There really isn't a right or wrong way to start.

jayesh_vn

Thanks for the response paul. Well, eventually i see myself doing audits. I would like to use the technical experience towards technical audits. But clearly I dont want to completely move towards firewall operations as the only task. Considering this would it be better to go for CISA ? Does a CISA with resonable technical experience help ?

Thanks

numberfive

CISA for assurance and risk management, CISSP for technical audits, pentests. IMO

burfect

numberfive wrote: »

CISA for assurance and risk management, CISSP for technical audits, pentests. IMO

Yet my research has shown me many have BOTH among a variety of others.

paul78

jayesh_vn wrote: »

Considering this would it be better to go for CISA ? Does a CISA with resonable technical experience help ?

If your goal is to eventually be an IT auditor, then absolutely target the CISA. I do feel that auditors with some technical breath do a better job. If you enjoy having that better understanding, setting your sights on the CISSP is alsp recommended.

I concur with the comment by @burfect. I run into a lot of auditors with both CISSP and CISA - non-auditors as well.

burfect

Would "auditing" be considered security work and security work be considered audting work in terms of cert experience guidelines? Reason I ask, is because of the fact many in auditing and security have both of these certs. Can auditing/security experience be used interchangably to fulfill exp requirements for each of these?

JDMurray

Auditing is comparing an existing situation to a set of rules and looking for discrepancies. Auditing is therefore something that is very valuable for validating/verifying compliance with security policies and standards. However, the art and science of auditing in itself has nothing specifically to do with security.

numberfive

burfect wrote: »

Yet my research has shown me many have BOTH among a variety of others.

Question was "on which one to focus first with respect to my profile?".
According to your response he should focus on all of them.