Professional Designations (A. Kwok) - ISA/BIT Learning Center
October 30, 2017 | Author: Anonymous | Category: N/A
Short Description
-to-Become-Certified.aspx Andre Kwok ACC626: Research Paper cgeit certification ......
Description
ACC626: Research Paper Professional designations Of
Information Systems Auditing
Andre Kwok
7/13/2010
Table of Contents Overview ....................................................................................................................................................... 3 Professional Designations ............................................................................................................................. 3 (ISC)^2 ....................................................................................................................................................... 3 CISSP ...................................................................................................................................................... 4 ISACA ......................................................................................................................................................... 5 CISA........................................................................................................................................................ 6 CISM....................................................................................................................................................... 7 CGEIT ..................................................................................................................................................... 7 CRISC...................................................................................................................................................... 7 GIAC ........................................................................................................................................................... 8 CICA ........................................................................................................................................................... 9 CA.IT ...................................................................................................................................................... 9 Salary studies............................................................................................................................................... 10 Association with professional bodies .......................................................................................................... 11 Observations ............................................................................................................................................... 12 Conclusion ................................................................................................................................................... 13 Recommendations ...................................................................................................................................... 13 Exhibit I ........................................................................................................................................................ 14 Exhibit II ....................................................................................................................................................... 15 Annotated Bibliography .............................................................................................................................. 16
2
Overview In the past generations, we have seen post-secondary education become a critical deciding factor in the hiring of potential job candidates. In present day, with a large majority of the population engaging in post-secondary studies, further signals are required in order to differentiate individuals ahead of one another. The solution lies in the continuing education of professional designations. This paper will discuss the professional designations that relate to the discipline of information systems auditing. It analyzes the differences between the available options and concludes that the CISA designation holds the most promising value in this field. However, with the constant changes in the environment, the value of these designations are also proven through recent events and are thus, subject to fluctuate. On a final note, any relevant designation or further education would have positive effects as it signals a long-term interest and commitment to the industry.
Professional Designations Professional designations are a large deciding factor in the hiring of experienced and knowledgeable candidates. In fact, 85% of the posted jobs for IT auditors preferred or required professional certification, or they required those candidates to be actively working toward attaining certification. It has also been shown that the overall proportion of IT audits has been steadily increasing at 1
approximately one percent per year regardless of the country and was just over 13% in 2009. With a growing demand for qualified IT auditors, there are quite a few professional designations available to meet this need for differentiation. The organizations offering these professional designations related to the area of information systems auditing include the International Information Systems Security Certification Consortium ((ISC)^2), the Information Systems Audit and Control Association (ISACA), the Global Information Assurance Certification (GIAC), and the Canadian Institute of Chartered Accountants (CICA).
(ISC)^2 The International Information Systems Security Certification Consortium is an independent, nonprofit corporation established in 1989. Their mission is to ‗make society safer by improving productivity, efficiency and resilience of information-dependent economies through information security education and certification.‘ They have been recognized as the first information security certifying body to meet the requirements of ANSI/ISO/IEC Standard 17024, a global benchmark for personnel certification with about 60,000 certified industry professionals in over 135 countries. All of their members and candidates are required to subscribe to their code of ethics and earn Continuing Professional Education (CPE) credits throughout the life of their certification. This helps them to safeguard the professionalism and integrity of
1
http://accounting.uwaterloo.ca/uwcisa/symposiums/documents/Boss.pdf
3
2
their credentials while keeping their members current with all the new developments. The (ISC)^2 is the SC Magazine two-time consecutive award winner in education for 2006 and 2007, and the 2008 finalist for this category and the Best Professional Certification Program. They achieve this through their official Review Seminars and other education options including instructor-led education, onsite education, official 3
e-learning, official self-assessment, and official textbooks.
CISSP As a globally recognized standard of achievement, the Certified Information Systems Security Professionals (CISSP) was the first credential in the field of information security. It was accredited by the American National Standards Institute (ANSI) to International Organization for Standardization (ISO) 4
Standard 17024:2003. The requirements to attaining the CISSP include completing the examination, certification, endorsement and audit processes. The CISSP examination is 6 hours long with no breaks allowed. It consists of 250 multiple choice questions with four choices each. A passing grade is a scale score of 700 out of a possible 1000 points on the grading scale. The fee for this examination is $549-599 USD depending on early or standard 5
6
registration. The examinations are offered in most major cities about twice each year. Those individuals that successfully complete this examination will become an associate of the ISC with a period of six years after the ‗pass‘ email is issued to meet the experience requirements. To attain the CISSP, another requirement is that candidates must have a minimum of five years of direct full-time security work experience in two or more of the 10 domains of the (ISC)^2 CISSP Common Body of Knowledge which include: o
Access Control
o
Application Security
o
Business Continuity and Disaster Recovery Planning
o
Cryptography
o
Information Security and Risk Management
o
Legal, Regulations, Compliance and Investigations
o
Operations Security
o
Physical (Environmental) Security
o
Security Architecture and Design
o
Telecommunications and Network Strategy
2
https://www.isc2.org/aboutus/default.aspx https://www.isc2.org/uploadedFiles/Education/(ISC)2-Education.pdf 4 https://www.isc2.org/cissp/default.aspx 5 https://www.isc2.org/uploadedFiles/Certification_Programs/exam_pricing.pdf 6 https://webportal.isc2.org/Custom/ExamsListView.aspx?month=0&type=&city=&state=&country=Canada&seminartype= 3
4
Candidates are eligible to waive one year of professional experience if they have a four-year college degree.
7
A further requirement before receiving the CISSP certification is to have an endorsement form completed by another (ISC)^2 certified professional in good standing. The endorser must attest that the candidate‘s assertions regarding their professional experience are true to the best of their knowledge, and that the candidate is in good standing within the information security industry.
8
To maintain Associate status working towards the CISSP designation and to remain in ‗good standing‘, candidates must pay an annual maintenance fee of $35 USD and complete a minimum of 20 9
CPEs during each year. The CPEs earned as an Associate working towards the CISSP are not applied to the CISSP certification. In addition, some passing candidates will also be randomly selected and audited prior to the issuance of any certificates. Therefore, after passing the CISSP examination, completing the Endorsement Form along with their resume, and passing an audit of their assertions regarding professional experience if selected, candidates can finally be issued a certificate. However, the (ISC)^2 requires that ongoing requirements are met to maintain these credentials in good standing. These include completing 120 CPE credits every three years with a minimum of 20 CPEs posted during each year of the three-year certification cycle. In addition, the annual maintenance fee is $85 USD.
10
CISSP holders can further their designation through
attaining specializations in the CISSP Concentrations of Architecture, Engineering and Management.
11
ISACA The Information Systems Audit and Control Association is an independent, non-profit, global association that was incorporated in 1969. ISACA is known as a pace-setting global organization for information governance, control, security and audit professionals. Their membership totals over 86,000 in more than 160 countries that cover a variety of professional IT related positions.
12
ISACA is internationally
recognized with their industry achievements which include developing and maintaining COBIT, Val IT and 13
Risk IT frameworks. They offer the following four designations of Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT), and Certified in Risk and Information Systems Control (CRISC). These designations have been recognized by government entities, major industry publications, standard bodies and major consulting groups. The requirements for their designations include successful completion of an examination, a certain minimum level of relevant work experience, and adherence to their Code of Professional Ethics and Continuing Professional Education Program. All of their examinations are offered twice a year, in 7
https://www.isc2.org/cissp-professional-experience.aspx https://www.isc2.org/endorsement.aspx 9 https://www.isc2.org/uploadedFiles/Credentials_and_Certifcation/Associate_of_(ISC)2/Associate-of-(ISC)2.pdf 10 https://www.isc2.org/cissp-how-to-certify.aspx 11 https://www.isc2.org/concentrations/default.aspx 12 http://www.isaca.org/About-ISACA/History/Pages/default.aspx 13 http://www.isaca.org/About-ISACA/What-We-Offer-Who-We-Serve/Pages/default.aspx 8
5
June and December with the examination fees ranging from $415-595 depending if they are a member and/or when they register.
14
The required work experience for the designations must be gained within 10
years preceding the candidate‘s application date for certification or within five years from the date when they initially passed the examination.
15
Similar to the CISSP, ANSI has also accredited the CISA and
CISM certifications under ISO/IEC 17024:2003.
16
ISACA has more than 180 chapters established in over
75 countries worldwide which provide its members with education, resource sharing, advocacy, professional networking, and other benefits at a local level.
17
These chapters include training and exam
preparation resources for their designations. Their CPE Program is similar to (ISC)^2 with the same requirements to report an annual minimum of 20 CPE hours, and 120 CPE hours for a three-year reporting period. Their annual maintenance fees are $40 USD for ISACA members and $80 USD for non18
members.
CISA The Certified Information Systems Auditor designation was established early in 1978 to become the globally accepted standard of achievement among information systems audit, control and security professionals. It has been earned by more than 75,000 professionals to date and according to the 2010 Information Career Trends Survey, is quickly becoming a preferred certification program by individuals and organizations around the world.
19
The experience requirement for CISA is a minimum of five years of professional information systems auditing, control or security work experience. However, there are a few more options available for substitutions and waivers of this experience. These include a maximum of one year of information systems experience or one year of financial or operational auditing experience to be substituted, 60 to 120 completed college semester credit hours to be substituted for one or two years respectively, and two years as a full-time university instructor in a related field can be substituted for one year.
20
CISA has been named the winner of the 2009 Best Professional Certification Program by SC Magazine. It has also received numerous other awards including ‗Best Professional Development Grand Award‖ and ―Best Professional Development Scheme Award‖ in the Hong Kong ICT Awards 2009 presentation ceremony.
21
14
http://www.isaca.org/CERTIFICATION/Pages/default.aspx?utm_source=multiple&utm_medium=multiple&utm_content=friendl y&utm_campaign=certification 15 http://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/How-to-Become-Certified/Pages/default.aspx 16 http://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/What-is-CISA/Pages/default.aspx 17 http://www.isaca.org/About-ISACA/What-We-Offer-Who-We-Serve/Pages/default.aspx 18 http://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/Pages/Maintain-Your-CISA.aspx 19 http://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/What-is-CISA/Pages/CISA-in-the-News.aspx 20 http://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/How-to-Become-Certified/Pages/default.aspx 21 13 http://www.isaca.org/Certification/Pages/CISA-CISM-CGEIT-Certification-Recognition.aspx
6
CISM The Certified Information Security Manager designation has been offered since 2003 and has been earned by more than 13,000 professionals to date. This management focused certification was developed for the individual who manages, designs, oversees and assesses an enterprise‘s information security. According to the Information Security Media Group, the CISM is one of the two certifications becoming ‗minimum standards in the profession.‘
22
The work experience required for the CISM is a minimum of five years of information security work experience, with a minimum of three years of information security management work experience. By holding either the CISA, CISSP, or a post-graduate degree in information security or a related field, the two years of information security work experience can be waived. One year can be substituted for one full year in either information systems management experience, general security management experience, or by completing a skill-based security certification which includes the GIAC. However, these experience substitutions will not satisfy any portion of the three-year information security management work experience requirement.
23
CGEIT The Certified in the Governance of Enterprise IT designation was introduced in 2007 for professionals who manage, provide advisory and/or assurance services, and/or who otherwise support the governance of an enterprise‘s IT. This credential was built on the IT Governance Institute‘s intellectual property and input from subject matter experts around the world with focus on the five key areas of governance-strategic alignment, value delivery, risk management, resource management, and performance measurement.
24
The experience requirement for the CGEIT is a minimum of five years managing, serving in an advisory or oversight role, and/or otherwise supporting the governance of the IT related contribution to an enterprise. In addition, a minimum of one year of experience relating to the development and/or the maintenance of an IT governance framework and additional broad experience directly related to any two of the five key areas of governance mentioned directly above are required.
25
CRISC ISACA‘s newest designation, Certified in Risk and Information Systems Control was introduced earlier this year in 2010 with its first examination offered in 2011. Its intent was to acknowledge enterprise
22
http://www.isaca.org/Certification/CISM-Certified-Information-Security-Manager/What-is-CISM/CISM-in-theNews/Pages/default.aspx 23 http://www.isaca.org/Certification/CISM-Certified-Information-Security-Manager/How-to-BecomeCertified/Pages/default.aspx 24 http://www.certmag.com/read.php?in=3287 25 http://www.isaca.org/Certification/CGEIT-Certified-in-the-Governance-of-Enterprise-IT/Pages/How-to-Become-Certified.aspx
7
risk and the ability of business professionals to design, implement, monitor and maintain information system controls to mitigate such risk. Again, a minimum of five years of IT or business experience is required. Of this, a minimum of three years of cumulative work experience across at least three of the domains which include:
26
o
Risk identification, assessment and evaluation
o
Risk response
o
Risk monitoring
o
IS control design and implementation
o
IS control monitoring and maintenance
GIAC The Global Information Assurance Certification was established in 1999 to validate the skills of information security professionals. The GIAC‘s purpose is to provide assurance that a certified individual has the knowledge and skills necessary for a practitioner in key areas of computer, information and software security. The GIAC certifications cover a range of skill sets with advanced technical subject areas of:
27
o
Audit
o
Intrusion detection
o
Incident handling
o
Firewalls and perimeter protection
o
Forensics
o
Hacker techniques
o
Windows and Unix operating system security
o
Secure software and application coding
The number of certifications issued has quickly been growing with over 31,000 issued to date. The GIAC certifications are valid for four years, after which students must review new course information and retake the exam in order to remain certified. $899 USD.
29
28
The GIAC offers about 18 different certifications which each cost
There are no prerequisites for special training required for any GIAC certification. In addition,
there are many third party training providers that offer relevant courses towards attaining these certifications. The two certifications currently related to audit are the GIAC Certified ISO-17799 Specialist (G7799) and the GIAC Systems and Network Auditor (GSNA). These exams are proctored and consist of
26
http://www.isaca.org/Certification/CRISC-Certified-in-Risk-and-Information-Systems-Control/Pages/What-is-CRISC.aspx http://www.giac.org/overview/ 28 http://www.giac.org/overview/ 29 https://www.sans.org/registration/register.php?conferenceid=1251 27
8
150 questions within a four hour time limit of which 105 correctly answered questions constitutes a passing score.
30
The G7799 certification demonstrates understanding of the ISO-7799 standard and the ability to put it into practice. On the other hand, the GSNA certification demonstrates that the holder has the knowledge, skills and abilities to apply basic risk analysis techniques to conduct a technical audit of essential information systems.
31
CICA The Canadian Institute of Chartered Accountants together with the provincial, territorial and Bermuda Institutes of Chartered Accountants represents a membership of approximately 75,000 CAs and 12,000 students. The CICA conducts research into current business issues and supports the setting of accounting, auditing and assurance standards for business, not-for-profit organizations and government.
32
Through recognizing the impact of IT, the IT Alliance was approved by the CICA‘s Board of Directors in June 2002 with its mission to encourage and recognize excellence in the provision of IT services by CAs. Thus, a specialist certification program was created to designate CA.IT Specialists.
33
CA.IT Chartered Accountants can receive this Information Technology Specialization through relevant work experience. Although there is no examination required to attain this designation further to the examinations for the CA, these CAs must have:
34
Been working in one or more of the six major competency areas in the IT competency Map for at least the last eight years.
Spent a minimum of 5,000 hours in qualifying work experience and 200 hours in continuing professional development during the last five years.
Been a CA in good standing over the last eight years.
In addition to the required fees to maintain the CA designation, the application fee for the CA.IT Specialist designation is $500 CDN with annual fees of $400 CDN.
35
Due to the relatively recent introduction, limited scope, and lengthy work experience requirements, there have not been many of these designations issued. Thus, the related studies on this designation are limited and are not on the same comparable base as the other designations which require a significantly lower minimum duration of relevant work experience.
30
http://www.giac.org/certifications/audit/ http://www.giac.org/certifications/audit/ 32 http://www.cica.ca/about-the-profession/cica/index.aspx 33 http://www.cica.ca/career-development/ca-specialization/information-technology/item1770.aspx 34 http://www.cica.ca/career-development/ca-specialization/information-technology/item40142.pdf 35 http://www.cica.ca/career-development/ca-specialization/information-technology/item40142.pdf 31
9
Salary studies After these designations are attained, it comes down to what difference it really makes, and this difference is measured in terms of salary. In a report by Foote Partners LLC, formally certified security professionals on average earn about 10-15% higher salaries than noncertified individuals in comparable roles. Those shown with the highest premiums were the CISSP, CISA and CISM.
36
According to the
Certification Magazine‘s 2009 Salary Survey, only the CISSP concentrations of Architecture and Management out of the designations listed above made the top five highest paying certifications with $136, 060 and $134,100 respectively.
37
The entire field of IT is constantly upgrading and changing. From
the previous year‘s Salary Survey, the CISM came in third overall with $109,410 with the CISSP not making the top 5.
38
In the 2007 Salary Survey, two of the top 5 included the CISM and CISA with
$115,720 and $98,740 respectively.
39
As the CISM relates to a management position, this gap between
these earning numbers is reasonably expected. On another note, IT is a growth industry and the 2009 average total salary, including benefits and incentives had experienced a 9% gain from last year to $96,677. The year before that had average total salaries increase by 15%.
40
The CA Profession Compensation Study includes the CA.IT and CA+CISA designations. The CA.IT designation had a mean compensation of $206,893 with a median of $152,936 while the CA+CISA had $166,664 and $134,450 respectively.
41
This can be interpreted from the large difference in work
experience. As the CA.IT specialization requires 3 more years of relevant work experience over the CISA, this amount of time attributes strongly towards higher compensation. However, this shows that CAs with further designations in information systems auditing are making more than just having the designation without the CA.
36
10 http://www.computerworld.com/s/article/9026624/Salary_premiums_for_security_certifications_increasing_study_shows?intsrc= news_ts_head 37 18 http://www.certmag.com/read.php?in=3915 38 http://www.certmag.com/read.php?in=3656 39 11 http://www.gocertify.com/article/ISACA-Certifications1.shtml 40 18 http://www.certmag.com/read.php?in=3915 41 19 http://cica.ems01.com/CA_Profession_Compensation_Survey_2009-En.pdf
10
Association with professional bodies While the CISA came in as the winner for the best professional certification in 2009 by SC Magazine, the finalists also included the CISSP, GIAC, and CISM.
42
In the quickly changing environment,
the 2010 winner was awarded to the CISSP, with the CISA not making the top 5 finalists at all.
43
All of the
designations described above are managed by organizations that are internationally recognized for their contributions to the industry. CICA has accredited ISACA as the only body whose designation leads to a recognition as a CA designated specialist in information systems audit, control and security.
44
Thus, this gives all of ISACA‘s
designations more weight when it comes to signalling expertise and experience in its field. CAs pursuing the CISA designation have to also pass the ISACA examination and abide by the ISACA Code of Ethics. However, the work experience requirement is lessened as they only need to provide evidence of two years of experience in information systems auditing, control or security work, if one year of financial statement or other audit, control or security related experience has been attained.
45
With further relevance to the information systems auditing field, many enterprises recognize CISA as the standard as organizations increasingly expect their IS auditors to hold this certification including the US Department of Defence, which named CISA as an approved credential for DoD level 3 information assurance professionals. In fact, some have gone so far as to require this designation such as the Financial Entities General Superintendence in Costa Rica requiring financial institutions to have an annual assessment of its IT management framework with an external auditor that must be a CISA. The Securities Exchange Board of India has also required their biannual system audits of all mutual funds to be completed by an independent auditor that is CISA/CISM certified or equivalent.
46
In addition, CISA has
been found to be positively and significantly associated with IT audits whereas the CPA has been negatively associated.
47
This may suggest that CPAs are viewed as financial auditors, whom do not have
the IT audit knowledge necessary to perform IT audits. Thus, this audit is usually delegated to IT audit specialists, namely those with the relevant designation such as the CISA.
42
9 http://www.scmagazineus.com/best-professional-certification/article/130888/ 15 http://www.scmagazineus.com/best-professional-certification-program/article/164155/ 44 http://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/What-is-CISA/Pages/CISA-in-the-News.aspx 45 17 http://www.cica.ca/career-development/ca-specialization/information-systems-auditing/item1768.aspx 46 13 http://www.isaca.org/Certification/Pages/CISA-CISM-CGEIT-Certification-Recognition.aspx 47 16 http://accounting.uwaterloo.ca/uwcisa/symposiums/documents/Boss.pdf 43
11
Observations As time is strongly correlated to skill, the higher level of required work experience can help to differentiate these designations. Thus, certifications such as the GIAC‘s G7799 which only have an examination and have no requirements over work experience are determined to be entry-level credentials.
48
Following this, the CISSP and ISACA‘s designations can be classified into an intermediate
category as they require a minimum of five years of relevant work experience with the option for a couple of these years to be waived given previous experience. The CA.IT designation could be labelled as an advanced credential with its requirement of eight years of relevant work experience, on top of maintaining the CA designation as well. The requirement for annual continuing professional development hours is also consistent with our ranking as the GIAC does not require any, the intermediate designations require about 20, and the CA.IT requires approximately 40. There are also differences between the required fees for the examination, association and maintenance of the designations. For the CA.IT designation, there are annual maintenance fees of $400 CDN compared to about $80 USD for the ISACA designations and CISSP. This could be attributed to the required duration of relevant experience for the specific designation as professionals complete their work experience, their salary rises, which keeps this difference immaterial. Also, employers are increasingly covering these certification costs.
49
The quality and continuing support of the organization offering the designation is another differentiating factor. Where GIAC certificate holders are only provided up to date examinations every four years, ISACA and (ISC)^2 are both internationally recognized and offer their members current industry information, networking opportunities, and other valuable career tools. With the CICA-ISACA Accreditation Agreement, the two organizations work together in a strategic relationship to lead to other cooperative activities in education, research and professional standards. This helps to ensure that CAs and CISAs both are informed on information systems audit and control issues internationally on a consistent basis.
50
The CA.IT on the other hand, is managed within CICA‘s IT Alliance, which was developed to stay current in the IT area. Finally, note that the newer designations such as ISACA‘s CGEIT and CRISC were not analyzed. This was due to the lack of designation holders and available data relating to their impact on salary and its recognition by other entities. In the future, with further growth and the introduction of new designations, we may see more of an established presence and a very different landscape from present day.
48
14 http://www.scmagazineus.com/security-certifications-what-decides-know-how/article/167949/ 18 http://www.certmag.com/read.php?in=3915 50 17 http://www.cica.ca/career-development/ca-specialization/information-systems-auditing/item1768.aspx 49
12
Conclusion From our research, we observe that the CISA is highly respected in its field receiving international recognition from government entities and professional bodies. The CISA is the only globally recognized program for certifying information systems audit and control professionals.
51
It is quickly becoming a
requirement for IT auditors by governments around the world. Furthermore, the CICA-ISACA Accreditation Agreement shows that this designation is here to stay in this profession. In fact, the CISA has been noted to become almost as important as a CPA for auditing positions.
52
Therefore, our conclusion leads us to
the CISA being the designation to hold the highest value with regards to information systems auditing.
Recommendations According to Certification Magazine‘s 2009 Salary Survey, 96% of respondents from the top five countries with the highest salaries said they were certified. In addition, the number of respondents who added more than two certifications to their portfolios this year increased from 11.4% in 2008 to over 30% in 2009 while the total number of people who earned at least one certification in 2009 was more than 67%.
53
Thus, while our conclusion draws us to the CISA designation being the best designation for
information system auditing, attaining any of the other designations would still have a positive benefit and should nevertheless be taken into consideration as they fit to the individual‘s needs. Certifications are a signalling mechanism, as they show that the individual has gone through the cost and effort to obtain and maintain it, implying their long-term interest and commitment to the field. Aside from certifications, other options are available including attendance in specialized courses and pursuing further degrees and/or diplomas. While the IT environment is constantly changing and new designations are introduced, the responsibility falls on the individual to keep up to date. As Jonathan Gossels, president of SystemExperts Corp said, ―Stick with the premium brands, the credentials that command respect and whose value stays over time.‖
54
Therefore, although our recommended path for a CA involved in IT audits would be to pursue a CISA designation and later attain the CA.IT specialization, this path is not clear-cut as individuals can able to pick up further designations along the way or they could decide to specialize into a different or more relevant area in their career of the always expanding information technology.
51
17 http://www.cica.ca/career-development/ca-specialization/information-systems-auditing/item1768.aspx 14 http://www.scmagazineus.com/security-certifications-what-decides-know-how/article/167949/ 53 18 http://www.certmag.com/read.php?in=3915 54 14 http://www.scmagazineus.com/security-certifications-what-decides-know-how/article/167949/ 52
13
Exhibit I - Compensation by Designation/Post Graduate Degree held (from CA Profession Compensation Study) Total compensation (includes owners and non-owners) Count Mean Chartered Financial Analyst or CFA CIRP or CA•CIRP Engineer P.Eng. CBV or CA•CBV Master of Business Administration (MBA) CA•IFA Certified Financial Planner or CFP Certified Management Consultant or CMC A Doctorate degree LLB/Lawyer Chartered Accountant or CA (from a country other than Canada) Certified Public Accountant or CPA CA•IT Certified Management Accountant or CMA Other Masters Degree Pl. Fin. CISA or CA•CISA Diplôme de sciences administratives (D.S.A.) CIA or CA•CIA Master of Taxation and/or Accounting Certified General Accountant or CGA Diplôme détudes supérieures spécialisées (D.E.S.S.) Other
Median
Percentile 25
Percentile 75
378
$303,562
$201,250
$140,000
$305,000
74 29 239 990
$294,274 $288,678 $261,596 $254,221
$195,500 $180,000 $165,000 $154,000
$146,000 $101,500 $120,000 $100,000
$301,000 $327,000 $275,000 $250,000
65 305
$249,895 $241,450
$163,636 $180,000
$124,001 $122,000
$300,000 $300,000
67
$233,701
$178,370
$130,000
$300,000
52 42 413
$233,539 $207,843 $207,358
$158,440 $180,750 $148,000
$118,000 $125,373 $100,000
$210,000 $266,000 $216,000
844
$207,070
$150,000
$110,000
$219,437
78 231
$206,893 $203,459
$152,936 $157,000
$120,000 $109,000
$231,000 $233,333
314 41 166 468
$172,306 $168,323 $166,664 $165,901
$114,745 $138,500 $134,450 $110,000
$92,700 $84,701 $100,000 $86,000
$174,000 $198,545 $185,000 $166,180
225 723
$163,062 $148,848
$134,500 $115,000
$99,990 $89,500
$181,000 $155,000
93
$146,206
$125,000
$95,000
$175,000
687
$102,438
$85,500
$65,832
$111,750
1,028
$215,717
$149,071
$100,000
$246,950
Exhibit II – Comparisons with Previous Compensation Studies (from CA Profession Compensation Study)
Chartered Financial Analyst or CFA CIRP or CA•CIRP Engineer P.Eng. CBV or CA•CBV Master of Business Administration (MBA) CA•IFA Certified Financial Planner or CFP Certified Management Consultant or CMC A Doctorate degree LLB/Lawyer Chartered Accountant or CA (from a country other than Canada) Certified Public Accountant or CPA CA•IT Certified Management Accountant or CMA Other Masters Degree Pl. Fin. CISA or CA•CISA Diplôme de sciences administratives (D.S.A.) CIA or CA•CIA Master of Taxation and/or Accounting Certified General Accountant or CGA Diplôme détudes supérieures spécialisées (D.E.S.S.) Other
2005 Total compensation (includes owners and non-owners) Mean Median $242,475 $166,000
2007 Total compensation (includes owners and non-owners) Mean Median $287,588 $196,000
2009 Total compensation (includes owners and non-owners) Mean Median $303,562 $201,250
$271,031 $208,516 $275,626 $226,885
$191,500 $138,200 $167,750 $142,000
$305,414 $262,958 $274,125 $240,424
$198,000 $159,500 $165,000 $154,000
$294,274 $288,678 $261,596 $254,221
$195,500 $180,000 $165,000 $154,000
$222,537 $167,772
$161,251 $135,716
$336,607 $216,575
$175,950 $160,000
$249,895 $241,450
$163,636 $180,000
$267,654
$178,125
$228,172
$180,000
$233,701
$178,370
$153,110 $255,793 $209,207
$117,075 $141,000 $138,000
$271,506 $241,613 $226,512
$148,750 $162,462 $145,000
$233,539 $207,843 $207,358
$158,440 $180,750 $148,000
$165,202
$119,100
$191,382
$140,100
$207,070
$150,000
$193,091 $179,899
$130,000 $126,000
$183,866 $254,312
$135,000 $143,000
$206,893 $203,459
$152,936 $157,000
$147,014 $148,562 $157,865 $138,015
$100,000 $120,203 $115,000 $98,900
$169,771 $240,152 $190,929 $199,028
$112,100 $126,000 $137,500 $105,750
$172,306 $168,323 $166,664 $165,901
$114,745 $138,500 $134,450 $110,000
$149,880 $132,592
$103,000 $94,000
$163,640 $143,882
$121,900 $104,800
$163,062 $148,848
$134,500 $115,000
$129,545
$100,000
$132,991
$104,300
$146,206
$125,000
$86,004
$65,000
$94,620
$76,500
$102,438
$85,500
$179,370
$122,414
$223,012
$140,000
$215,717
$149,071
15
Annotated Bibliography
#
Author
Title of Article
Periodical/ website
1
Afifi, Andrew
Becoming a CISSP CISSP.COM The web portal for the certified information systems security professionals
Vol. / No. / Edition n/a
Year Page publis s hed 2010 n/a
Date accessed
Location, data base, website, link
June 10, 2010
http://www.cissp.com/
Annotation
The International Information Systems Security Certification Consortium (ISC) was established in mid-1989 as an independent, nonprofit corporation with the sole charter to develop and administer a certification program for information security practitioners. Now the CISSP is firmly established in North America and quickly gaining international acceptance.
For the CISSP, compliance with the preambles and canons is mandatory. Code of Ethics Preamble: Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behaviour. Therefore, strict adherence to this code is a condition of certification. Code of Ethics Canons: Protect society, the commonwealth, and the infrastructure.
Act honourably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
Advance and protect the profession.
CISSP Examination Requirements CISSP candidates must meet the following requirements prior to taking the CISSP examination: Submit the examination fee Have a minimum of five years of direct full-time security professional work experience in two or more of the ten 16 domains of the (ISC)² CISSP CBK. If you hold a certification on the (ISC)² -approved list (visit
https://www.isc2.org/cgi-bin/content.cgi?page=1016 for a complete list), you may waive one year of the 5-year requirement. Alternatively, a 4-year college degree or a Master's Degree in U.S. National Center of Academic Excellence in Information Security (CAEIAE) or regional equivalent can substitute for one year towards the 5-year requirement. No more than 1 year of experience may be waived. Attest to the truth of his or her assertions regarding professional experience, and legally commit to abide by the (ISC)² Code of Ethics (Section 3), and Answer four questions regarding criminal history and related background
The CISSP examination is available in English, Japanese, Korean, German, French, and Spanish. If you are not proficient in a language an (ISC)2 examination is offered in, word-to-word language translation dictionaries are permitted for the English examination The CISSP examination consists of 250 multiple choice questions with four choices each. The examination contains 25 questions which are included for research purposes only. The research questions are not identified; therefore, answer all questions to the best of your ability. Examination results will be based only on the scored questions on the examination. There are several versions of the examination. Each candidate has an equal opportunity to pass the examination, no matter which version is administered. The passing grade required is a scale score of 700 out of a possible 1000 points on the grading scale. Upon successfully completing the 6-hour long exam with no breaks allowed, you become an associate of ISC. The Associate for CISSP designation is valid for a period of six years from the date the ‗pass‘ email is issued. Then the Associate is given five years to obtain the required experience and submit the required endorsement form for certification as a CSSLP. To maintain Associate status working toward CISSP and remain in ‗good standing‘, you are required to: Pay the annual maintenance fee (AMF) of USD35 by the anniversary date of each year. Earn and submit a minimum of 20 Continuing Professional Education credits (CPEs) during each year while an Associate of (ISC). Failure to comply with this policy will result in termination of the Associate status. CPEs earned as an Associate of (ISC)² working toward CISSP will not be applied to CISSP certification. CPEs are strictly for professional development while gaining necessary experience to become certified.
17
CISSP Certification Requirements To be issued a certificate, a candidate must: Pass the CISSP exam with a scaled score of 700 points or greater. Submit a properly completed and executed Endorsement Form Provide a recent resume with submission with endorsement Successfully pass an audit of their assertions regarding professional experience, if the candidate is selected for audit. To maintain the CISSP certification and remain in “good standing” with (ISC)², you are required to: Pay the annual maintenance fee (AMF) of USD85 at the end of each certification year. Earn and submit a total of 120 CPEs by the end of the three year certification cycle. A minimum of 20 CPEs must be posted during each year of the three-year certification cycle before the annual anniversary date. Failure to comply with this policy will result in suspension of the certification.
2
ISACA
Certified Information Systems Auditor (CISA)
ISACA
n/a
2010
n/a
June 10, 2010
http://www.isaca.org/Certificati on/CISA-Certified-InformationSystemsAuditor/Pages/default.aspx
Annotation
―Since 1978, the CISA program has been the globally accepted standard of achievement among information systems (IS) audit, control and security professionals.‖ More than 75,000 professionals in nearly 160 countries have earned the Certified Information Systems Auditor (CISA) certification since its inception in 1978.
18
The CISA designation was created for professionals with work experience in information systems auditing, control or security that include:
Information Systems (IS) audit process IT Governance Systems and Infrastructure Lifecycle Management IT Service Delivery and Support Protection of Information Assets Business Continuity and Disaster Recovery
Recent independent studies consistently rank CISA as one of the highest paying and sought after IT certifications. ISACA‘s certifications have been recognized by government entities, major industry publications, standard bodies and major consulting groups. ―In 2009, the Financial Entities General Superintendence in Costa Rica (SUGEF) issued a new Regulation on Information Technology (SUGEF 14-09) for the institutions under its supervision. Financial institutions must comply, within two years, with a minimum maturity level of 3 on 17 of the 34 COBIT processes and must have an annual assessment of its IT management framework with an external auditor. This external auditor must be a CISA.‖ The 2010 Information Career Trends Survey, conducted by the Information Security Media Group, found CISA to be one of the three most sought-after certifications. The CISA designation is awarded to individuals with an interest in Information Systems auditing, control and security who meet the following requirements: 1. Successful completion of the CISA Examination The examination is open to all individuals who have an interest in information systems audit, control and security. All are encouraged to work toward and take the examination. Successful examination candidates will be sent all information required to apply for certification with their notification of a passing score. For a more detailed description of the exam see CISA Certification Job Practice. Also, CISA Exam Preparation resources are available through the association and many chapters host CISA Exam Review Courses (contact your local chapter). The CISA examination is offered twice a
19
year, in June and December. Exam Registration Fees
Member
Non-Member
Early registration received on or before 18 August Final registrations received by 6 October
US $415 US $465
US $545 US $595
2. Experience as an Information Systems Auditor A minimum of five years of professional information systems auditing, control or security work experience (as described in the CISA job practice areas) is required for certification. Substitutions and waivers of such experience may be obtained as follows:
A maximum of one year of information systems experience OR one year of financial or operational auditing experience can be substituted for one year of information systems auditing, control or security experience. 60 to 120 completed college semester credit hours (the equivalent of an Associate or Bachelor degree) can be substituted for one or two years, respectively, of information systems auditing, control or security experience. A bachelor's or master's degree from a university that enforces the ISACA sponsored Model Curricula can be substituted for one year of information systems auditing, control, assurance or security experience. To view a list of these schools, please visit www.isaca.org/modeluniversities. This option cannot be used if three years of experience substitution and educational waiver have already been claimed. Two years as a full-time university instructor in a related field (e.g., computer science, accounting, information systems auditing) can be substituted for one year of information systems auditing, control or security experience.
Experience must have been gained within the 10-year period preceding the application date for certification or within five years from the date of initially passing the examination. Retaking and passing the examination will be required if the application for certification is not submitted within five years from the passing date of the examination. All experience must be verified independently with employers.
3. Adherence to the Code of Professional Ethics Members of ISACA and/or holders of the CISA designation agree to a Code of Professional Ethics to guide professional
20
and personal conduct.
4. Adherence to the Continuing Professional Education (CPE) Program The objectives of the continuing education program are to:
Maintain an individual's competency by requiring the update of existing knowledge and skills in the areas of information systems auditing, control or security. Provide a means to differentiate between qualified CISAs and those who have not met the requirements for continuation of their certification Provide a mechanism for monitoring information systems audit, control and security professionals' maintenance of their competency Aid top management in developing sound information systems audit, control and security functions by providing criteria for personnel selection and development
Maintenance fees and a minimum of 20 contact hours of CPE are required annually. In addition, a minimum of 120 contact hours is required during a fixed 3-year period. Upon completing the requirements for initial certification, the CISA will be provided with the CPE policy booklet for detailed criteria to be used in developing a personal CPE program.
5. Compliance with the Information Systems Auditing Standards Individuals holding the CISA designation agree to adhere to the Information Systems Auditing Standards as adopted by ISACA. Maintaining the CISA The CISA CPE policy requires the attainment of CPE hours over an annual and three-year certification period. CISAs must comply with the following requirements to retain certification:
Attain and report an annual minimum of twenty (20) CPE hours. These hours must be appropriate to the currency or advancement of the CISA‘s knowledge or ability to perform CISA-related tasks. The use of these hours towards meeting the CPE requirements for multiple ISACA certifications is permissible when the professional activity is applicable to satisfying the job-related knowledge of each certification.
21
Submit annual CPE maintenance fees to ISACA international headquarters in full. Attain and report a minimum of one hundred and twenty (120) CPE hours for a three-year reporting period. Respond and submit required documentation of CPE activities if selected for the annual audit. Comply with ISACA‘s Code of Professional Ethics.
Failure to comply with these certification requirements will result in the revocation of an individual‘s CISA designation.
3
ISACA
Certified Information Security Manager (CISM)
ISACA
n/a
2010
n/a
June 10, 2010
http://www.isaca.org/Certificati on/CISM-Certified-InformationSecurityManager/Pages/default.aspx
Annotation
The Certified Information Security Manager (CISM) certification is a unique management-focused certification that has been earned by more than 13,000 professionals since its introduction in 2003. Unlike other security certifications, CISM is for the individual who manages, designs, oversees and assesses an enterprise's information security. CISM certification is for individuals who design, build and manage enterprise information security and who have experience in the following areas:
Information Security Governance Information Risk Management Information Security Program Development Information Security Program Management Incident Management and Response
Recent independent studies consistently rank CISM as one of the top two highest paying and sought after IT certifications. The CISM designation is awarded to individuals with an interest in security management who meet the following requirements:
22
1. Successfully Pass the CISM Exam Score a passing grade on the CISM exam. A passing score on the CISM examination, without completing the required work experience as outlined below, will only be valid for five years. If the applicant does not meet the CISM certification requirements within the five year period, the passing score will be voided. Exam Registration Fees
Member
Non-Member
Early registration received on or before 18 August Final registrations received by 6 October
US $415 US $465
US $545 US $595
2. The Code of Professional Ethics Members of ISACA and/or holders of the CISM designation agree to a Code of Professional Ethics to guide professional and personal conduct.
3. Continuing Education Policy The objectives of the continuing education program are to:
Maintain an individual's competency by requiring the update of existing knowledge and skills in the areas of information systems auditing, management, accounting and business areas related to specific industries (e.g., finance, insurance, business law, etc.) Provide a means to differentiate between qualified CISMs and those who have not met the requirements for continuation of their certification Provide a mechanism for monitoring information systems audit, control and security professionals' maintenance of their competency Aid top management in developing sound information systems audit, control and security functions by providing criteria for personnel selection and development
Maintenance fees and a minimum of 20 contact hours of CPE are required annually. In addition, a minimum of 120 contact hours is required during a fixed 3-year period. Upon completing the requirements for initial certification, the CISM will be
23
provided with the CPE policy booklet for detailed criteria to be used in developing a personal CPE program.
4. Work Experience Submit verified evidence of a minimum of five years of information security work experience, with a minimum of three years of information security management work experience in three or more of the job practice analysis areas. The work experience must be gained within the ten-year period preceding the application date for certification or within five years from the date of originally passing the exam. Experience Substitutions The following security-related certifications and information systems management experience can be used to satisfy the indicated amount of information security work experience. Two Years:
Certified Information Systems Auditor (CISA) in good standing Certified Information Systems Security Professional (CISSP) in good standing Post-graduate degree in information security or a related field (e.g., business administration, information systems, information assurance)
One Year:
One full year of information systems management experience One full year of general security management experience Skill-based security certifications (e.g., SANS Global Information Assurance Certification (GIAC), Microsoft Certified Systems Engineer (MCSE), CompTIA Security +, Disaster Recovery Institute Certified Business Continuity Professional (CBCP), ESL IT Security Manager) Completion of an information security management program at an institution aligned with the Model Curriculum
The experience substitutions will not satisfy any portion of the three-year information security management work experience requirement. Exception: Two years as a full-time university instructor teaching the management of information security can be substituted
24
for every one year of information security experience.
5. Submit an Application for CISM Certification Once a CISM candidate has passed the CISM certification exam and has met the work experience requirements, the final step is to complete the CISM Application for Certification. Maintaining your CISM The CISM CPE policy requires the attainment of CPE hours over an annual and three-year certification period. CISMs must comply with the following requirements to retain certification:
Attain and report an annual minimum of twenty (20) CPE hours. These hours must be appropriate to the currency or advancement of the CISM‘s knowledge or ability to perform CISM-related tasks. The use of these hours towards meeting the CPE requirements for multiple ISACA certifications is permissible when the professional activity is applicable to satisfying the job-related knowledge of each certification. Submit annual CPE maintenance fees to ISACA International Headquarters in full. Attain and report a minimum of one hundred and twenty (120) CPE hours for a three-year reporting period. Submit required documentation of CPE activities if selected for the annual audit. Comply with ISACA‘s Code of Professional Ethics.
Failure to comply with these certification requirements will result in the revocation of an individual‘s CISM designation.
4
ISACA
Certified in the Governance of Enterprise IT (CGEIT)
ISACA
n/a
2010
25
n/a
June 10, 2010
http://www.isaca.org/Certificati on/CGEIT-Certified-in-theGovernance-of-Enterprise-
IT/Pages/default.aspx Annotation
Introduced in 2007, the CGEIT designation is the designed for professionals who manage, provide advisory and/or assurance services, and/or who otherwise support the governance of an enterprise‘s IT and wish to be recognized for their IT governance-related experience and knowledge, CGEIT is based on ISACA‘s and the IT Governance Institute‘s (ITGI‘s) intellectual property and the input of subject matter experts around the world.
Requirements for CGEIT Certification The CGEIT is designed for professionals who have management, advisory, and/or assurance responsibilities relating to the governance of IT. To earn the CGEIT credential, an individual must:
1. 2. 3. 4.
Pass the CGEIT exam - The CGEIT exam is offered annually during the months of June and December. Adhere to the ISACA Code of Professional Ethics Agree to comply with the CGEIT Continuing Education Policy Provide evidence of appropriate IT governance work experience as defined by the CGEIT Job Practice
Exam Registration Fees
Member
Non-Member
Early registration received on or before 18 August Final registrations received by 6 October
US $415 US $465
US $545 US $595
IT Governance Experience Five (5) or more years of experience managing, serving in an advisory or oversight role, and/or otherwise supporting the governance of the IT-related contribution to an enterprise is required to apply for certification. This experience is defined specifically by the domains and task statements described in the CGEIT Job Practice. A minimum of 1 year of experience relating to the development and/or maintenance of an IT governance framework is required. Additional broad experience directly related to any two or more of the remaining CGEIT domains is required. The type and extent of experience accepted is described in CGEIT domains 2 through 6. These domains are:
Strategic Alignment Value Delivery
26
Risk Management Resource Management Performance Measurement
Individuals can take the CGEIT exam prior to earning the above work experience. Maintaining your CGEIT The CGEIT CPE policy requires the attainment of CPE hours over an annual and three-year certification period. CGEITs must comply with the following requirements to retain certification:
Attain and report an annual minimum of twenty (20) CPE hours. These hours must be appropriate to the currency or advancement of the CGEIT‘s knowledge or ability to perform IT governance-related tasks. The use of these hours towards meeting the CPE requirements for multiple ISACA certifications is permissible when the professional activity is applicable to satisfying the job-related knowledge of each certification. Submit annual CPE maintenance fees to ISACA international headquarters in full. Attain and report a minimum of one hundred and twenty (120) CPE hours for a three-year reporting period. Respond and submit required documentation of CPE activities if selected for the annual audit. Comply with ISACA‘s Code of Professional Ethics.
Failure to comply with these certification requirements will result in the revocation of an individual‘s CGEIT designation.
5
ISACA
Certified in Risk and Information Systems Control (CRISC)
ISACA
n/a
2010
27
n/a
June 10, 2010
http://www.isaca.org/Certificati on/CRISC-Certified-in-Riskand-Information-SystemsControl/Pages/default.aspx
Annotation Introduced in 2010, The Certified in Risk and Information Systems Control certification (CRISC), pronounced ―see-risk,‖ is intended to recognize a wide range of IT and business professionals for their knowledge of enterprise risk and their ability to design, implement, monitor and maintain information system (IS) controls to mitigate such risk. The CRISC designation not only certifies professionals who have knowledge and experience identifying and evaluating entity-specific risk, but also aids them in helping enterprises accomplish business objectives. CRISC is based on independent market research and input from thousands of subject matter experts from around the world as well as ISACA‘s intellectual property including Risk IT and COBIT 4.1. CRISC is for IT and business professionals who are engaged at an operational level to mitigate risk and who have job experience in the following areas:
6
Risk identification, assessment and evaluation Risk response Risk monitoring IS control design and implementation IS control monitoring and maintenance
GIAC
GIAC Information GIAC (Global Security Information Certification Assurance Certification)
n/a
2010
n/a
June 10, 2010
http://www.giac.org/overview/
Annotation GIAC (Global Information Assurance Certification) was founded in 1999 to validate the skills of information security professionals. The purpose of GIAC is to provide assurance that a certified individual has the knowledge and skills
28
necessary for a practitioner in key areas of computer, information and software security. GIAC certifications are trusted by thousands of companies and government agencies, including the United States National Security Agency (NSA). GIAC certifications address a range of skill sets including entry-level information security and broad-based security essentials, as well as advanced subject areas like:
Audit Intrusion detection Incident handling Firewalls and perimeter protection Forensics Hacker techniques Windows and Unix operating system security Secure software and application coding
GIAC certifications are unique because they measure specific skills and knowledge areas rather than general infosec knowledge. Although there are other entry-level certifications available, GIAC offers the only certifications that cover advanced technical subject areas. GIAC certifications are valid for four years. Students must review new course information and retake the exams every four years in order to remain certified. Different education and certification tracks are available for security, audit, management, operations,legal departments, and software security.
Program Growth GIAC was the first true technical infosec certification. The first GIAC professionals were certified in February of 2000, and just under 1,000 candidates were certified in our first year alone. As of March, 2002, we had certified over 3,000 individuals and currently to date, 31,013 GIAC certifications have been issued. There are no prerequisites required to begin any of the GIAC certification attempts, however we highly recommend taking a training course before your test. Even experienced infosec professionals will benefit from a review of various subject areas before the exam. Certification attempts have a 4 month access window, giving candidates adequate time to prepare for the
29
certification exam.
7
GIAC
GIAC Systems and GIAC (Global Network Auditor Information Assurance Certification)
n/a
2010
n/a
June 11, 2010
http://www.giac.org/certificatio ns/audit/
Annotation
GIAC Systems and Network Auditor (GSNA) – Level 5 Type: Certification Course: *No Specific training is required for any GIAC certification. If candidates need help in mastering the objectives for this certification, there are many sources of information available. Practical experience is one option; there are also numerous books on the market covering Computer Information Security. Another option is SANS training, or any relevant courses from other training providers. Target: Technical staff responsible for securing and auditing information systems; auditors who wish to demonstrate technical knowledge of the systems they are responsible for auditing. GIAC Systems and Network Auditors (GSNAs) have the knowledge, skills and abilities to apply basic risk analysis techniques and to conduct a technical audit of essential information systems. Requirements: 1 proctored exam - 150 questions - 4-hour time limit - 70% (105 of 150 questions) minimum passing score Renewal:
30
Every 4 years Delivery: Exams are delivered online through a standard web browser. For exams purchased with SANS training, access to the exam will be available 7-10 days following the end of the conference. Standalone challenge exams are issued within 24 hours upon receipt of payment. You will receive an email from GIAC when your exam has been issued to your portal account. You have 120 days to complete the exam from the time we send notice that it is available. The exams are proctored and should be scheduled using our proctored exam procedure.
8
McGlasson, Linda
Top Certifications Bank for Industry Pros Information
n/a
2008
n/a
June 11, 2010
Security Articles
http://www.bankinfosecurity.co m/articles.php?art_id=1113
Annotation GIAC - The Global Information Assurance Certification isn't a "silver bullet" certification (there is not one) but GIAC's program is a respected series of certifications that demonstrate the knowledge and skills needed for success in areas within security administration, management, operations, legal, audit and software security. CISM - Certified Information Security Manager or CGEIT, Certified in the Governance of Enterprise IT, both from ISACA, are valued because they provide hiring organizations the assurance that the candidate has both the knowledge and experience to be successful. CISA - Certified Information Systems Auditor - is another ISACA certification that is beginning to carry some weight again as GRC (governance risk compliance) begins to heat up. CISSP - Certified Information Systems Security Professional is generally the most recognized internationally and is still coveted by information security professionals. Recruiters in the financial services industry are just beginning to see companies require certifications for positions. By holding this certification, one shows a dedication to the profession, which by anyone's measure is a good thing. 9
SC Magazine
Best professional certification
SC Magazine for IT Security
n/a
2009
31
n/a
June 11, 2010
http://www.scmagazineus.com/
Professionals
best-professionalcertification/article/130888/
Annotation
Winner: ISACA for Certified Information Systems Auditor (CISA) Finalists 2009 (ISC)2 GIAC – Global Information Assurance Certification for GIAC – The Global Information Assurance Certification program ISACA for Certified Information Systems Auditor (CISA) ISACA for Certified Information Security Manager (CISM) Symantec Corporation for Symantec Certification Program The CISA certification has been earned by more than 60,000 professionals since inception and is for the IS audit, control, assurance and/or security professionals who wish to set themselves apart from their peers. Since 1978, the CISA certification has been renowned as the globally recognized achievement for those who control, monitor and assess an organization's information technology and business systems. The technical skills and practices that CISA promotes and evaluates are the building blocks of success in the field. Possessing the CISA designation demonstrates proficiency and is the basis for measurement in the profession. With a growing demand for pros possessing IS audit, control and security skills, CISA has become a preferred certification program by individuals and organizations around the world. CISA certification signifies commitment to serving an organization and the IS audit, control and security industry with distinction. 10
Vijayan, Jaikumar
Salary premiums for security certifications increasing, study shows
Computer World n/a
2007
n/a
June 11, 2010
http://www.computerworld.com /s/article/9026624/Salary_pre miums_for_security_certificatio ns_increasing_study_shows?i ntsrc=news_ts_head
Annotation
A report released last week by New Canaan, Conn.-based Foote Partners LLCshows that formally certified security professionals on average are still commanding about 10% to 15% higher salaries than noncertified individuals in comparable roles. The numbers were marginally higher than the premiums offered for certified security professionals six months ago. Among the certification programs commanding the highest premiums were Certified Information Systems
32
Security Professional (CISSP) , Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM). "The trend is not being driven by compliance and regulations. It is being driven by people saying customers are demanding more security. Also pushing up the premiums for security certification is a new Department of Defense directive which requires over 100,000 security professionals in certain specific job roles to be certified within a five year period.‖ 11
Lainhart, John, CISA, CISM, CGEIT
Certification Proves GoCertify Its Worth to IT Security Professionals and Employers
n/a
2008
n/a
June 11, 2010
http://www.gocertify.com/articl e/ISACA-Certifications1.shtml
Annotation
According to Certification Magazine's 2007 Salary Survey, two of the five top paying certifications are ISACA's Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM). The CISM came in second with an annual average salary of $115,720, while the CISA scored fifth place with an average salary of $98,740. Clearly, as employers continue to realize the importance of information security and governance, they are relying on certifications to identify prospective employees with experience and expertise. The IT Governance Global Status Report-2008 from the IT Governance Institute (ITGI) found that more than 93 percent of global CEOs, CIOs and other senior executives surveyed recognize that information technology is vital for delivering the organization's strategy. IT has become so critical to the business, according to the report, that 70 percent of the survey's respondents regularly or always have IT on their organization's board agenda. ISACA-a nonprofit association of more than 65,000 IT governance professionals worldwide-has a long history in the IT certification space. In 1978, ISACA established the CISA designation, which has been earned by more than 55,000 professionals since inception. ISACA's CISM certification was introduced in 2002, and it has since been earned by more than 7,000 professionals. Both designations are accredited by the American National Standards Institute (ANSI). The association's most recent certification, introduced in August 2007, is the Certified in the Governance of Enterprise IT (CGEIT) credential. Many enterprises recognize ISACA's CISA credential as the standard for information systems auditors. Its demand continues to grow as organizations increasingly expect their IS auditors to hold the certification: nearly 14,400 candidates registered for the June 2007 CISA exam, a 19 percent increase from the June 2006 exam. Overall, more than 25,000
33
candidates took the CISA exam in 2007. One employer that recognizes CISA is the US Department of Defense, which named CISA an approved credential for DoD level 3 information assurance professionals.
12
Kaneshige, Tom
5 hot IT certifications in a frigid job market
IT World Canada
n/a
2008
n/a
June 11, 2010
http://www.itworldcanada.com/ news/5-hot-it-certifications-ina-frigid-job-market-/06087
Annotation
According to Foote Partners, security skills in demand include e-discovery, penetration testing, vulnerability assessment, security auditing, and ethical hacking. Banks also need anti-money-laundering pros who have prevention, detection, and investigation skills. "As opposed to wanting to move up in the company, a majority of my students this past three months want training so that they can get a [new] job if they get laid off." When faced with two comparable candidates, a hiring manager can be swayed by a certification. Spencer Lee often receives IT job reqs that mention a preference for a particular certification, and she's noticed something very telling: "The person who gets the job usually has the certification." 13
ISACA
CISA, CISM and ISACA CGEIT Certification Recognitions
n/a
2010
n/a
June 11, 2010
http://www.isaca.org/Certificati on/Pages/CISA-CISM-CGEITCertification-Recognition.aspx
Annotation
CISA Recognitions
―In 2009, the Financial Entities General Superintendence in Costa Rica (SUGEF) issued a new Regulation on Information Technology (SUGEF 14-09) for the institutions under its supervision. Financial institutions must comply, within two years, with a minimum maturity level of 3 on 17 of the 34 COBIT processes and must have an annual assessment of its IT management framework with an external auditor. This external auditor must be a CISA.‖ The 2010 Information Career Trends Survey, conducted by the Information Security Media Group, found CISA to be one of the three most sought-after certifications. In a January 2010 study by Mile High Research, ISACA‘s CISA and CISM certifications made the top 10 in-demand IT certifications for new jobs posted over the last 14 days. The job descriptions specified one or more certifications as minimum or preferred credentials for the job posting. ISACA and other organizations whose credentials made the
34
top 10 ―obviously make a connection between their certifications and employers – that connection is value," said Denny Schall, CLO of Mile High Research. The CISA certification program was awarded the ―Best Professional Development Grand Award‖ and the ―Best Professional Development (Scheme) Award‖ in the ‗Hong Kong ICT Awards 2009‘ presentation ceremony. The Hong Kong ICT Awards were established in 2006 under a collaborative effort amongst the industry, the academia and the Government. The Securities Exchange Board of India requires biannual system audits of all mutual funds to be conducted by an independent auditor who is CISA/CISM-certified or equivalent.
CISM Recognitions
14
The 2010 Information Career Trends Survey, conducted by the Information Security Media Group, found CISM to be one of the three most sought-after certifications for security professionals. According to ISMG, CISM is one of the two certifications becoming "minimum standards in the profession." In a January 2010 study by Mile High Research, ISACA‘s CISA and CISM certifications made the top 10 in-demand IT certifications for new jobs posted over the last 14 days. The job descriptions specified one or more certifications as minimum or preferred credentials for the job posting. ISACA and other organizations whose credentials made the top 10 ―obviously make a connection between their certifications and employers – that connection is value," said Denny Schall, CLO of Mile High Research. The Securities Exchange Board of India requires biannual system audits of all mutual funds to be conducted by an independent auditor who is CISA/CISM-certified or equivalent.
Lawton, Stephen.
Security SC Magazine Certifications: What decides know-how?
n/a
2010
n/a
June 11, 2010
http://www.scmagazineus.com/ security-certifications-whatdecides-knowhow/article/167949/
Annotation
While a certification does not guarantee that an applicant is proficient in a given technology, many hiring managers today say that the certification does indicate that the applicant at least has some practical knowledge in their given field.
35
Professional certifications, such as the CISSP (Certified Information Systems Security Professional) and the CISA (Certified Information Systems Auditor), have been listed as requirements or strong preferences on security job descriptions for well over a decade now, so there is no excuse for not making the effort if you are serious about this profession.‖ ―The certification is really a signaling mechanism more than a guarantee of ability. If someone has gone through the cost and effort to obtain and maintain a certification, that implies a degree of long-term interest and commitment to the field.‖ For candidates without any certifications, particularly CISSP for security experts or Certified Information Systems Auditor (CISA) for auditing positions, the certificates are conspicuous by their absence. These generally show the greatest competency in their respective fields. CISA, in fact, is becoming almost as important as a CPA (Certified Public Accountant) for auditing positions. ―Pay the cost, but be a careful consumer,‖ Gossels says.‖ Stick with the premium brands, the credentials that command respect and whose value stays over time.‖ Although the certification process is a veritable alphabet soup of acronyms and nearly become a language unto itself, Gossels says it is time to sort out the scores of certifications into some kind of understandable progression. One approach he suggests is to organize titles based on the experience level required to obtain the credential. For example, Gossels puts such certificates as Security+, TruSecure ICSA Computer Security Associate and GIAC (Global Information Assurance Certification) Certified ISO-17799 Specialist as entry-level credentials, while CISA, CISSP, GIAC Systems and Network Auditor and Cisco Certified Security Professional would fall in the intermediate category. Advanced credentials include GIAC Security Expert, NSA (National Security Agency) INFOSEC Assessment Methodology, and Certified Protection Professional from the American Society for Industrial Security. 15
SC Magazine
Best professional certification program
SC Magazine
n/a
2010
n/a
June 11, 2010
http://www.scmagazineus.com/ best-professional-certificationprogram/article/164155/
Annotation
Winner: (ISC)2 for CISSP Finalists 2010 GIAC - Global Information Assurance Certification for GIAC Security Essentials Certification (GSEC) GIAC - Global Information Assurance Certification for GIAC Certified Forensics Analyst (GCFA) Information System Audit and Control Association for Certified information Security Manager (CISM) (ISC)2 for CISSP
36
(ISC)2 for SSCP Known as the gold standard of information security certifications, the Certified Information Systems Security Professional (CISSP) was the first certification accredited by the American National Standards Institute (ANSI) to International Standards Organization (ISO) Standard 17024:2003. The CISSP is not only an objective measure of excellence, but a globally recognized standard of achievement. One major point that sets the CISSP apart from other security certifications is the breadth of knowledge and experience necessary to pass the exam. A CISSP candidate cannot specialize in just one domain. They must know and understand the full spectrum of the (ISC) 2 CBK to become certified.
16
Abdolmoham Factors associated made, with IT audits by Mohammad J. the internal audit function
Department of Accountancy, Bentley University
n/a
2009
n/a
June 11, 2010
http://accounting.uwaterloo.ca/ uwcisa/symposiums/document s/Boss.pdf
Annotation Evidence in the literature suggests that individuals with either a CPA or CISA designation will gain IT auditors promotion over those without certification (Wier et al. 2000). Eighty-five percent of the posted jobs for IT auditors preferred or required professional certification, or they required actively working toward attaining certification (Merhout and Buchman, 2007). This evidence suggests that any relevant professional certification (e.g., CIA, CISA, CPA, or CMA) will be positively associated with IT audits. The results show that overall the proportion of IT audits performed in 2003 (i.e., three years before the 2006 survey) was 7.97 percent, and increased to 10.61 percent in 2006 (the year of survey) and was projected to increase further to 13.40 percent in 2009, a trend indicating an increase of approximately one percent per year regardless of country. While these numbers appear to be low, they nevertheless establish a benchmark for future comparison. Increases in IT audits by IAFs should decrease the dependence of organizations on their MIS departments or co-sourcing/outsourcing of the IT audit function to consultants. However, the results of the study imply that significant increase in IT audits requires investment in recruiting, training, and CISA certification of new recruits because these variables are positively and significantly associated with IT audits. The findings of the study also show that while only 26 percent of IAF professionals have CISA certification, 43 percent possess CIA, 54 percent possess CPA, and 23 percent possess CMA certifications. Since the study finds the CISA
37
certification to be positively and significantly associated with IT audits, it would be reasonable to conclude that an increase in the number of professionals with CISA certification within IAFs would also result in a corresponding increase in IT audits. The CIA and CMA certifications are not significantly associated with IT audits, and unexpectedly, the CPA certification is negatively associated with IT audits. This latter result may indicate that as experienced financial auditors, CPAs may not have IT audit knowledge to perform IT audits because usually this audit is delegated to IT audit specialists. 17
Arroyo, Marisol
Accreditation Agreement with ISACA
CICA
n/a
2010
n/a
July 11, 2010
http://www.cica.ca/careerdevelopment/caspecialization/informationsystems-auditing/item1768.aspx
Annotation
The Canadian Institute of Chartered Accountants (CICA) is pleased to announce an accreditation agreement with ISACA®. The CICA has accredited the ISACA® as the only body whose Certified Information Systems Auditor designation (CISA) leads to recognition as a CA-designated specialist in information systems audit, control, and security. CAs who are also CISAs who wish to describe themselves as CA-designated specialists in information systems audit, control and security and use the symbol CA•CISA must register in the specialty register of their Provincial Institute(s). Registration is free. A member must file a declaration that he or she continues to devote a significant percentage of time to the specialty and continues professional development relevant to the specialty. (In Quebec, the legal environment currently prevents CAs from describing themselves as specialists and using the symbol CA•CISA.) The CISA Program Since 1978, the Certified Information Systems Auditor (CISA) program has been the globally accepted standard of achievement in the information systems audit, control and security field. Earning the CISA designation helps assure a positive reputation as a qualified IS audit, control and/or security professional, and because the CISA program certifies individuals who demonstrate proficiency in today's most sought-after skills, employers prefer to hire and retain those who achieve and maintain their designation. More than 60,000 individuals worldwide have earned the highly prized and respected CISA designation including over 2,400 in Canada. Requirements for CAs CAs seeking the CISA designation are required to:
38
pass ISACA®'s four-hour examination, held each year in June and December (For information on a special offer for CICA members, read the CISA Exam Information Bulletin); provide evidence of two years experience in information systems auditing, control or security work if one year of financial statement or other audit, control or security related experience has been attained; and abide by ISACA®'s Code of Ethics.
Objectives of the CICA-ISACA® Accreditation Agreement The main objectives of the CICA-ISACA® agreement are:
to permit the CICA to recognize the ISACA® as an ―Accredited Organization‖ and the only body whose ISACA® leads to recognition as a CA-designated specialist in information systems audit, control, and security; to enhance the strategic relationship between the CICA and the ISACA® to lead to other cooperative activities in education, research and professional standards; to encourage CAs who wish to become specialists in information systems audit and control to become members of the ISACA®; to ensure that CAs and CISAs are informed on information systems audit and control issues internationally on a consistent basis; and to encourage and facilitate coordination, consultation and cooperation with the CICA and with Alliances for Excellence and other appropriate organizations affiliated with the CICA.
ISACA®'s CISA program is the only globally recognized program for certifying information systems audit and control professionals. 18
Gilmore, Agatha
Certification Magazine's 2009 Salary Survey
Certification Magazine Editorial
n/a
Dec 2009
8
July 12, 2010
http://www.certmag.com/read.php ?in=3915
Annotation Also indicating the power of certification was the number of respondents who added more than two certifications to their portfolios this year. This figure jumped from 11.4 percent of respondents in 2008 to more than 30 percent in 2009, while the total number of people who earned at least one cert this year was more than 67 percent. Tellingly, a full 96 percent of respondents from the top five countries with the highest salaries said they were certified.
39
In the U.S., the top five highest-paying certs varied a bit this year from last year, although the general content areas stayed pretty much the same. The cert that commanded the highest salary this year was the Brocade Certified Network Engineer (BCNE, formerly FNCNE) with a whopping average total salary of $146,250. This bumped last year‘s top cert, the Brocade Certified Fabric Designer (BCFD or BCSD), which had an average salary of $120,770 last year, to No. 4 this year. Rounding out the top five highest-paying certs in 2009 were: (ISC)2 Information Systems Security Architecture Professional (CISSPISSAP) with $136,060; Brocade Certified SAN Manager (BCSM) with $136,020; Brocade Certified Fabric Designer (BCFD or BCSD) with $135,600; and the (ISC)2 Information Systems Security Management Professional (CISSP-ISSMP) with $134,100. As evidenced by these results, a general focus on network and security issues continues to be a growing trend — and lucrative career choice — within the IT industry.
19
20
Long, Paul
CA Profession Compensation Survey 2009 – Summary Report
Annotation See Exhibits I and II Arroyo, Information Marisol Technology,
CICA
n/a
2009
n/a
July 12, 2010
http://cica.ems01.com/CA_Profes sion_Compensation_Survey_2009 -En.pdf
CICA
n/a
2010
n/a
July 12, 2010
http://www.cica.ca/careerdevelopment/caspecialization/informationtechnology/item1770.aspx
CA·IT
Annotation A CA•IT is a CA who brings a business-oriented approach to IT strategy and implementation, who applies business acumen, strategic insight and understanding of IT to help organizations succeed.
Experience Route Candidates All CA•IT candidates must have: 1. Been working in one or more of the six major competency areas described in the IT Competency Map for at least the last eight years. 2. Spent a minimum of 5,000 hours in qualifying work experience and 200 hours in continuing professional development during the last five years. 3. Been a CA in good standing with their respective Provincial Institute/Ordre over the last eight years.
40
Fees The application fee for the CA•IT Specialist designation is $500. 00(plus applicable taxes). Annual fees for CA•IT Specialists are $350. 00(plus a $50. 00 Provincial Institute / Ordre registration fee all subject to applicable taxes). Specialists are billed through their respective Provincial Institute / Ordre.
41
View more...
Comments
