Search

EMERGENCE OF AN IT AUDITOR

The rapid dissemination of Technology in almost every facet of our lives has not only made it easier but has also made us heavily dependent on Information systems. From bank transfers, mobile recharges to automation of manufacturing process, we rely on the efficiency, effectiveness and security of these Information systems to a very large extent. This increasing dependence has also resulted in the greater risk of data privacy, system shutdown and personal data loss, directly impacting the brand image and revenue of the companies and individuals. The most recent example can be considered of ‘Wannacry’ ransomware which struck across the globe in May 2017, affecting thousands of computers in 150 countries with a total impact of anticipated to be around 4 Billion USD. These attacks have forced the companies to beef up their defenses resulting in the manifold increase in demand for IT auditors An IT auditor is the person responsible for identifying the risk across the company networks, information systems and also developing and implementing strategies to mitigate the same. The primary objectives of an IT auditor is to perform assessment of the systems and processes  that secure company data, determining and mitigating risks to information assets of the company, ensuring that the processes are in compliance with relevant policies, standards and regulations. Required Qualifications Typically an IT auditor has a bachelor degree Computer Science or Accounting that provides technical knowledge to perform responsibilities. Additionally, the auditor should possess strong communication skills that will allow him/her to understand and translate the technical information into business language for higher management therefore supporting them in taking appropriate business decisions. Lastly, there are several certifications available (depending on the areas of specialization) that can help individuals secure employment. One of the most common and widely respected certification is the Certified Information Security Auditor or CISA that provides in-depth knowledge enabling one to effectively deal with challenges in this constantly evolving field of Information Security. The certification is managed by ISACA which is a global non-profit professional association that is focused on IT Governance. It is one of the toughest exams in the Information Security domain and is notorious for having a low pass-rate of 40-50%. So, what makes CISA such a tough nut to crack? Some of the reasons are: The questions asked in the exam are subjective and ambiguous in nature thereby making it difficult for the candidate to select the correct option. The difficulty level of sample questions provided by ISACA is not aligned to the high standard of questions asked in the actual examination Some of the important tips that you need to consider before starting the preparation for CISA exam are as follows: CISA Review Manual CISA Review Manual (CRM) provided by ISACA should be your Bible and one-stop guide for the preparation. This manual provides all the details related to the CISA exam as well as defines the roles and responsibilities of an Information Systems auditor. Explore E-learning Options There are many organizations that provide CISA certification training courses both online as well as classroom. It is highly recommended that you participate in a comprehensive training course that not only involves session learning but also allows you to interact with security professionals from across the globe. One of the world’s leading professional certification training provider is KnowledgeHut that offers CISA training with a blend of both classroom and online training sessions. Plan your Schedule Planning the schedule for preparation of CISA exam should be done well-in advance to avoid any last minute hassle. Schedule and plan should be prepared based on your professional background and level of experience. For example, if you are working professional with Extensive experience, 30-45 days of time should be enough, however if you an aspirant with no relevant experience, you may even need more than 180 days for preparation. Free Resources available on Internet There are several free resources available on ISACA that can be helpful for the aspirants. Some of them are: The ISACA Candidate Information Guide ISACA’s CISA self-assessment test Database of free-to-download whitepapers Additionally, there are many insightful articles on Knowledgehut that provide a lot of relevant and valuable information which you can take advantage of. Hope this information helped in your journey to become a successful IT Auditor. Please leave your comments below to share your feedbacks and success stories.

EMERGENCE OF AN IT AUDITOR

307
EMERGENCE OF AN IT AUDITOR

The rapid dissemination of Technology in almost every facet of our lives has not only made it easier but has also made us heavily dependent on Information systems. From bank transfers, mobile recharges to automation of manufacturing process, we rely on the efficiency, effectiveness and security of these Information systems to a very large extent. This increasing dependence has also resulted in the greater risk of data privacy, system shutdown and personal data loss, directly impacting the brand image and revenue of the companies and individuals. The most recent example can be considered of ‘Wannacry’ ransomware which struck across the globe in May 2017, affecting thousands of computers in 150 countries with a total impact of anticipated to be around 4 Billion USD. These attacks have forced the companies to beef up their defenses resulting in the manifold increase in demand for IT auditors

An IT auditor is the person responsible for identifying the risk across the company networks, information systems and also developing and implementing strategies to mitigate the same.

The primary objectives of an IT auditor is to perform assessment of the systems and processes  that secure company data, determining and mitigating risks to information assets of the company, ensuring that the processes are in compliance with relevant policies, standards and regulations.

Required Qualifications

Typically an IT auditor has a bachelor degree Computer Science or Accounting that provides technical knowledge to perform responsibilities. Additionally, the auditor should possess strong communication skills that will allow him/her to understand and translate the technical information into business language for higher management therefore supporting them in taking appropriate business decisions.

Lastly, there are several certifications available (depending on the areas of specialization) that can help individuals secure employment. One of the most common and widely respected certification is the Certified Information Security Auditor or CISA that provides in-depth knowledge enabling one to effectively deal with challenges in this constantly evolving field of Information Security. The certification is managed by ISACA which is a global non-profit professional association that is focused on IT Governance.

It is one of the toughest exams in the Information Security domain and is notorious for having a low pass-rate of 40-50%. So, what makes CISA such a tough nut to crack? Some of the reasons are:

  • The questions asked in the exam are subjective and ambiguous in nature thereby making it difficult for the candidate to select the correct option.
  • The difficulty level of sample questions provided by ISACA is not aligned to the high standard of questions asked in the actual examination

Some of the important tips that you need to consider before starting the preparation for CISA exam are as follows:

CISA Review Manual

CISA Review Manual (CRM) provided by ISACA should be your Bible and one-stop guide for the preparation. This manual provides all the details related to the CISA exam as well as defines the roles and responsibilities of an Information Systems auditor.

Explore E-learning Options

There are many organizations that provide CISA certification training courses both online as well as classroom. It is highly recommended that you participate in a comprehensive training course that not only involves session learning but also allows you to interact with security professionals from across the globe.

One of the world’s leading professional certification training provider is KnowledgeHut that offers CISA training with a blend of both classroom and online training sessions.

Plan your Schedule

Planning the schedule for preparation of CISA exam should be done well-in advance to avoid any last minute hassle. Schedule and plan should be prepared based on your professional background and level of experience. For example, if you are working professional with Extensive experience, 30-45 days of time should be enough, however if you an aspirant with no relevant experience, you may even need more than 180 days for preparation.

Free Resources available on Internet

There are several free resources available on ISACA that can be helpful for the aspirants. Some of them are:

  • The ISACA Candidate Information Guide
  • ISACA’s CISA self-assessment test
  • Database of free-to-download whitepapers

Additionally, there are many insightful articles on Knowledgehut that provide a lot of relevant and valuable information which you can take advantage of.

Hope this information helped in your journey to become a successful IT Auditor. Please leave your comments below to share your feedbacks and success stories.

Jai

Jai Sisodia

Blog Author

Jai is a customer-focused Risk professional, highly experienced in value based Enterprise Risk Management and IT Audit. He has built a reputation for his strong ability to contribute to organisational development across a career spread over 3 years. His experience in the field of Enterprise Risk Management expands to multiple Fortune -500 clients spread across diverse verticals such as Healthcare, Consumer & Industrial Products, Telecommunication Marketing & Technology industries and multiple geographies including US, UK, Philippines, India and Canada. He is an MBA and BTech by qualification and also has professional certifications such CISA, ITIL V3 under his purview."

Join the Discussion

Your email address will not be published. Required fields are marked *

Suggested Blogs

The Importance Of PCI ; Data Security Standard (DSS)

As the world moves towards digital means of payments and transactions, there has also been concerns over the security and protection of cardholder information. According to the PCI Security Standards Council, more than 500 million card holder records with confidential information have been breached since 2005. Merchants, who accept digital forms of payments, are at the centre of digital payments, and can become a victim of financial fraud at multiple points, including: • The point-of-sale device or machine • Wireless hotspots • Connected computer or any other device • Transmission of the cardholder data to the service provider. Risk factors According to a business survey conducted by Forrester Consulting, a majority of businesses conduct activities increase the risk of card fraud, including storage of card number, expiration date, any verification code, and customer date. Introduction to Data Security Standard (DSS) The Payment Card Industry’s Data Security Standard (PCI-DSS) is a security standard mandatory for organizations that handle payments using cards, issued from major card types including MasterCard, Visa, and American Express. This PCI standard is mandatory for all card brands and is administered by the PCI Security Standards Council. The sole aim of the PCI standards is to protect cardholder data and to reduce card frauds. Objectives The objective of PCI-DSS course is the protection of cardholder data during storage, processing, and transmission. Cardholder account information includes the unique primary account number (PAN) printed in the front of every card. Merchants or any service provider, who process card payments, must never store sensitive information about the transaction after the authorization. This includes confidential data that is stored in the magnetic stripe of the card, along with any personal identification information entered by the cardholder. Requirements The PCI Data Security Standards specifies a list of 12 mandatory requirements, which are grouped under 6 control objectives, as listed below: 1) Build and maintenance of a high-security network, which includes: * Installation of a secure firewall to protect cardholder data. This restricts (or blocks) all traffic from untrusted networks, and prohibit direct public access between the Internet and the cardholder data environment. * Changing of the vendor-provided default password and other security measures. This is important as most card fraudsters are able to break into the cardholder’s internal network using the default passwords. 2) Protection of cardholder information, which includes: * Encryption of cardholder information that is transmitted over public networks. Encryption technology renders the transmitted data unreadable by any unauthorized person. Use of cryptography and security protocols such as SSL/TLS or IPSec can be used to safeguard customer data. * Protection of the stored cardholder data. Sensitive data on the magnetic chip of the card must not be stored. In case the PAN needs to be stored, it must be stored in an unreadable format. Limit the duration of storage of cardholder data. 3) Maintenance of a vulnerability management program, which includes: * Use and regular updates of anti-virus software programs on all systems. Harmful viruses can enter the user network through email and other online activities. Anti-virus software is an effective tool to protect computer systems from external attacks. * Development and maintenance of secure systems and applications. Security vulnerabilities in the system and applications can enable cyber criminals to access PAN and other secure data. Ensure that all the systems and application are updated with the latest security patch from the vendor. 4) Secure access control measures, which includes: * Restricting business access to cardholder information. Limit access to confidential cardholder data to only those users whose work requires this information. Additionally, restrict the access to the least amount of data required for business purpose. * Assigning of a unique ID to every person with computer access. This is important to be able to trace if the access to critical data has been executed by only authorized persons. 5). Restricting of the physical access to cardholder data. Physical access to cardholder data must be restricted to all onsite personnel, visitors, and all paper and electronic media. 6) Regular monitoring and testing of networks, which includes: * Tracking and monitoring of all access points to network resources and cardholder data. Use of logging mechanisms and tracking of user activities are included. * Regular testing of security procedures and processes. Periodic testing of security controls is important, along with internal and external network scans. 7) Maintaining of an information security policy, which includes: * Maintenance of a company policy that addresses information security. This includes establishing a security policy that addresses all the PCI-DSS requirements, along with an annual process to detect any vulnerability. These set of requirements is mandatory for companies that manufacture devices that accept and process PIN-based transactions or any other type of digital payments. Financial institutions, merchants, and service providers must ensure that they only use devices, approved for PTS (PIN transaction security).
The Importance Of PCI ; Data Security Standard (DS...

As the world moves towards digital means of paymen... Read More

Successful CEH Workshop for IBM Engineers at Pune!

A group of 21 IBMers have successfully cleared the Certified Ethical Hacking (CEH) V8 Training organized by KnowledgeHut under the banner of EC-Council, using the EC-Council courseware. CEH V8 is the most updated certification for Certified Ethical Hacking, offered by EC-Council, the US-based, globally recognized, member-supported professional organization offering certifications in various e-business and information security skills. Based out of Bangalore but operating across the globe in 70 countries and 200 Locations, KnowledgeHut – the popular training provider offering trainings in 40+ professional courses in domains that include Project Management, Risk Management, Finance and Security – has been offering CEH courses ever since it became an accredited training provider of EC‑Council in December 2013. When KnowledgeHut announced its workshop in Pune, IBM jumped to cash in on the opportunity to fortify the application knowledge of its team of senior software engineers. The training was provided by KnowledgeHut’s CEI Mr. Niranjan Reddy, a reputed Certified EC-Council instructor, who is also a past recipient of the ‘Instructor-Circle of Excellence’ South Asia Award from EC-Council. The five-day training was held in Pune on 16, 17, 23, 24, and 25 June 2014, and saw all the 21 IBMers pass out with a remarkable percentage ranging between 80 and 99.6%!  A feather in the cap for KnowledgeHut as well as EC-Council. The course content addressed security threats to the latest operating systems, mobile platforms, tablet computers, and counter measures to secure all these domains. Concepts were presented in an easily comprehensible manner, with simplified advanced technical courseware that covered vulnerability assessment, risk assessment, penetration testing and system protection. “The hands-ons were really good” quoted Arunay Kumar, a senior software engineer at IBM. He was seconded by Narayan Delvi, his colleague and software engineer who agreed that “The course content and practical hands-ons were the best part of the course.” Prem Prakash, yet another software engineer with IBM opined that “Even with 5 days, this seemed like a fast-track course! The structure needs to be changed to include more hours/day.”  In a nutshell, the feedback of the participants rated the training at a 9 on 10. Needless to say, IBM has already signed up another 15 member team for the next CEH Training Workshop organized by KnowledgeHut at Bangalore on 5, 6, 11, 12, and 13 July 2014.
Successful CEH Workshop for IBM Engineers at Pune!

A group of 21 IBMers have successfully cleared the... Read More

Learning Ethical Hacking Can Be A Disaster If You Neglect These 7 Rules

Attacking one’s own self defence systems to check for vulnerabilities was considered to be a major war strategy even 1500 years ago. Attacking one’s own systems to check for resilience against attacks may have helped many of our ancestors win wars by fortifying their weak spots. The trend continues to this day in the name of ‘ethical hacking’ where in vulnerabilities in cyber systems are sniffed out and systems are fortified against attacks. A new kind of battle is being waged upon us this day, not in the battlefield but in the digital world. Cybercrime is the fastest growing area of crime and nobody is safe. The internet has brought a lot of anonymity to its users and hackers and cyber criminals take advantage of this anonymity to perpetrate crime. Ethical hacking was created out of a need to proactively counter cyber threat, and improve defences to protect the interests of vulnerable parties. Ethical Hacking is big business today. Google, Facebook, Twitter and other big companies spend millions on ‘white hat hacking’ to sniff out vulnerabilities in their systems. Bug bounty programs, where hackers will be compensated for reporting vulnerabilities, will be a norm in the future. Organizations trust individuals who have been certified as Ethical Hackers as they are aware of the code of conduct to be followed during ethical hacking courses. But even the sincerest ethical hacker may stumble and get into situations that may harm the hacker or the organization. Even certified ethical hackers need to understand some rules before practising white hat hacking. • You are a white hat hacker but you still need permission before hacking into a user’s system: White hat hacking may be ethical but hacking into a user’s system without explicit permission from them will land you in trouble. In fact hacking, even for ethical purposes without explicit permission from the owners is a criminal offence in most countries. • Understand your client’s business and organizational set up: Before you start off on ethical hacking it is important that you understand your client organisation’s business and system. This will give you a background on the sensitivities of their network and how you need to handle any sensitive information that you might encounter. • Do not exceed limits imposed by the client: Even if your client has given you full access to their network, there might still be a limit to how much you can dig. Do not dig deeper than you have been told to as you might be breaching client trust. • Make sure you do your job properly so that you do not compromise the client’s defence systems: Your job is to sniff out holes and ensure that those holes are fixed to strengthen the IT security system. Give a detailed report of your findings and ensure that you do not overstep any limits or violate any laws or regulations.Plan out before you perform ethical hacking tests as time and patience are of utmost importance for sensitive results. • Be transparent with your clients: Open communication with your client will not only help your client but also you, by increasing your trustworthiness. You must disclose all discoveries that you have made to your client so that they can take necessary precautions to safeguard their systems. Your client should be aware of what’s going on at all times. • Be confidential and ethical: You should maintain confidentiality during and even after the job is done. You are an ethical hacker and work ethics come topmost for you and this includes client confidentiality. Disclosing secrets of your clients to third parties will defeat the very purpose of ethical hacking. Uphold the values and goals of the company and respect their privacy. • Cover your tracks: You have penetrated the systems and you have suggested detailed clean-ups. But as you exit, you must ensure that you do not leave any footprints and thus protect the system from future attacks. Ethical hacking is a sensitive and sometimes dangerous job. But every ethical hacker must follow the commandments of ethical hacking as there is a very thin line between black hat and white hat hacking. Stay focused and true to yourself and you will be successful
21679
Learning Ethical Hacking Can Be A Disaster If You ...

Attacking one’s own self defence systems to chec... Read More

Useful links