ISACA UPDATEPresented By: Brian O’Brien, CISA
Melissa Justice, CISA Jotham Nyamari
Board Members of the
Central Ohio ISACA Chapter
Central Ohio Chapter Goals
Educational ProgramsLocal Training OpportunitiesProfessional Networking
Central Ohio Happenings
Monthly luncheons on 2nd Thursday of month.• Board meets monthly (10 CPEs for chapter involvement).
Two (fall and spring) training seminars per year.• Oracle Database Auditing on October 28-29.
CISA / CISM Training Courses. Local Job Postings.
• Website / Newsletter ($35 per month).
Golf outing.• Just occurred in August.
Holiday Party / Beulah Park.• Scheduled for Saturday, November 1st.
Student Reduced Fees.
Central Ohio Chapter
Who’s Who?
International Update
Membership Benefits
PublicationKnowledgeCommunity of PeersDownloads Career Center
Membership K-NETCOBITVal ITITAF
Access to ISACA International’s website: http://www.isaca.org
Total ISACA membership worldwide: 77,093
Membership
K-NET
ISACA’s Knowledge Network Online database Peer reviewed More than 6,000 links Member access to 200+ topics
in 13 subject areas Fully searchable Personalized tracking
www.isaca.org/knet
COBIT
COBIT 4.1 COBIT Online COBIT Quickstart COBIT Foundation Course
www.isaca.org/cobit
COBIT Family of Products
COBIT
IT Assurance Guide: Using COBIT
IT Governance Implementation Guide: Using COBIT and Val IT, 2nd Edition
COBIT Security Baseline
www.isaca.org/downloads
COBIT Downloads
COBIT® Foundation Course
Case Studies Real-world Examples Overview of COBIT Control Objectives, Control
Practices, Management Guidelines, and Audit Guidelines
40 Sample Questions to Prepare for COBIT Foundation Exam
8 Hours; $499
COBIT® Foundation Course
Consists of 5 Modules: Responding to IT Challenges Introducing COBIT What COBIT Provides Applying COBIT in Practice Products and Support Available from ITGI
Val IT
Provides guidance to: Define relationships between IT and other
functions with governance responsibilities Manage an organization’s portfolio of IT
investments Maximize the quality of business cases for IT
investments
www.isaca.org/valit
ITAFTM: A Professional Practices Framework for IT Assurance Provides guidance on the design, conduct and reporting of IT audit
and assurance assignments Defines terms and concepts specific to IT assurance Establishes standards that address IT audit and assurance
professional roles and responsibilities, knowledge, skills and diligence, conduct, and reporting requirements
ITAF
www.isaca.org/downloads
Publications
Information Systems Control Journal Print and online versions www.isaca.org/journal
Journal Online Articles that supplement the journal Online only www.isaca.org/JOnline
Global Communiqué Member newsletter Online only www.isaca.org/gcomm
Knowledge
ISACA Bookstore Discounts Listservs Discussion Forums
Sarbanes-OxleyCOBIT IT Governance Information Security ManagementGeneral Topics
www.isaca.org/bookstore
Community of Peers
Why you should get involved: More than 170 chapters in 140 countries Leadership opportunities Networking Professional growth Positive impact on the local business community
www.isaca.org/chapters
The Local Level: Your Chapter
Community of Peers
www.isaca.org/leadership
Why you should get involved: Impressive global network of peer contacts Shared expertise and learning A personal role in the future of the association, as well as the IT assurance, security and governance professions.
The International Level: ISACA/ITGI
Downloads
Standards, Statements and Guidelines for IS audit and control
Audit Programs and Internal Control Questionnaires on more than 20 topics
IT Governance Institute research documents and presentations
Free ITGI research publication downloads including:COBIT Security BaselineSecuring the Network Perimeter
Career Centre
ISACA Members Can Search for Jobs by
• Geography
• Professional Certification
• Experience Level ISACA Members Can Store Resume or/and Post for
Employers Receive E-mail When New Jobs Post
Career Centre
Employers Can Post Jobs30 Day Listing for $29560 Day Listing for $395Posting is Immediate
Employers Can Search Resumes
http://jobs.isaca.org/
Comprehensive Student Program Reduction of student dues
$25New member fee waivedAll benefits delivered electronicallyMany chapters reduce or waive chapter dues for
students
Student area of the web siteStudent membership applicationEligibility and duesBenefits of membershipIT Audit Basics articles
Education Around the World
CISA, CISM, and CGEIT Certifications
CISA Certification Current Facts
Certified the 60,000th CISA earlier this year
More than 45,000 current CISAs
A 2007 survey of ISACA members who hold the CISA designation revealed:94% value their CISA certification72% agreed that CISA has advanced their career
Current CISAs by ISACA Geographical Area
Europe/Africa21%
Central/South America
4%
Asia/Mid-East25%
Oceania3%
North America48%
Current CISAs (more than 500) by Country
19,396 USA
2,369 Canada
2,291 India
2,205 Korea
1,794 Japan
1,719 UK
1,442 Hong Kong
573 Netherlands
1,044 Australia
898 Germany
883 Singapore
870 Spain
597 China
541 South Africa
Exam Registrations Past 12 Months
CISA Exam Registration
TOTALAsia 11,700C/S America 750 Europe/Africa 6,600 N. America 7,100 Oceania 300
CISAs in the Workplace
More than:9,000 serve as IT audit practitioners9,000 serve as IS/IT audit directors, managers, or hold senior
positions2,200 serve as chief audit executives (CAEs), audit partners or audit
heads
More than:11,000 hold managerial or consulting positions in IT operations or
compliance3,800 serve as CIOs, CISOs, security directors, security managers1,400 serve as the CEO or CFO of their organizations
Recent CISA Program Recognition
CIO Magazine, SC Magazine and Foote Partners research continually cite CISA as a credential that earns top pay compared with other credentials
Certification Magazine’s 2007 salary survey ranked CISA in the top five highest paying certifications
Salary for auditing certifications such as CISA continue to be boosted by compliance requirements and independent auditor control provisions
Recent Significant CISA Certification Board Actions
Moved to Item Response Theory (IRT) method of classifying and selecting exam items, beginning with the June 2008 exam (see next slide)
Reduced the administrative exam to 170 items (graded) with additional blocks of 30 new items (ungraded) used to gather performance statistics
Recent Significant CISA Certification Board Actions (continued)
Approved to discontinue any exam language that averages less than 100 candidates annually over any successive three-year period
Approved to allow a 1 year educational waiver for achievement of a Master’s degree in Information Systems or IT from an accredited university
Motion pending on approval of Polish as new CISA exam language
Item Response Theory (IRT) method
The IRT method of classifying exam items allows the CISA Certification Board to:
Accumulate better statistics on item performance
Score the exam more quickly Select items to produce a desired level of
difficulty Move to computer-based testing in the future
ANSI Accreditation
The American National Standards Institute (ANSI) has awarded accreditation under ISO/IEC 17024 to the CISA certification program in 2005.
Accreditation by ANSI signifies that ISACA’s procedures meet ANSI’s requirements for openness, balance, consensus and due process.
Reaccredited in 2006 and 2007. Currently being assessed for 2008.
CISA Preparation Related Education Activities Updated CISA Review instructor-led-training (ILT)
course provided to ISACA chapters Updated topics and notes Added a course training guide Added 100 question sample exam (sorted by domain and
scrambled) Introduced new CISA Online Review Course
Serves both for exam preparation and as continuing professional education
Chapter incentive program offered Converted sample questions on ISACA web site to
on-line CISA self-assessment
Item Writing Program
US$50 per accepted question Earn 1 CPE hour for each accepted question US$100 per accepted question offered when
questions are accepted in areas of need for the exam
Continuing Education
Did you know…Active participation on an ISACA and/or ITGI board, committee, task force or active participation as an officer of an ISACA chapter earns one continuing professional education hour for each hour of active participation. (10-hour annual limitation)
CISM Certification Facts
9,145 CISM Certifications have been awarded since 2003
Currently there are more than 8,000 active CISM members of ISACA
This year the total number of CISMs awarded will exceed 10,000
Who are the CISMs?
Most CISMs are consultants (37%) or work in financial services (19%).
As expected most CISMs are directors(32%) or managers (22%).
16% of CISMs have a “C” level title.
Where CISMs Work
CISMs primarily work in large organizations (34%) with 15,000 or more employees.
30% of CISMs manage organizations whose security staff is larger than 25 individuals. 61% work in organizations having a security staff larger than 5 individuals.
Years of Professional Experience
A large number of CISMs have more than 14 years of professional experience (63%). 84% report having 10 or more years of experience.
Geographic Representation
Member CISMs by ISACA Region
Asia
Central / South America
Europe / Africa
North America
Oceania
14.4%3.4%
24.7%
54.2%
3.3%
CISM Exam Registration by Region
Asia 527 556
CentralSouth America
152 124
EuropeAfrica
686 801
NorthAmerica
825 838
Oceania 64 65
1083
276
1487
1663
129
December 07 June 08 Total
Countries with more than 40 CISM Exam Takers (June 08)
•India•Singapore•United Arab Emirates
Central / South America
•Mexico
Europe / Africa
•Germany•Spain•Nigeria•United Kingdom
North America
•Canada•USA
Oceania
•Australia
Asia
CISM Languages June 08
This June the CISM Exam was offered in four
languages. For the first time it was available in
Korean.
EnglishSpanish
JapaneseKorean
90.7%6.0%3.0%0.3%
CISM in the News
IT professionals who obtained ISACA's information security managers certification (CISM) are in a better position to deal with the growing emphasis on business needs over technology, according to a recent survey of more than 1,400 CISMs in 83 countries. (CSO Magazine)
A report shows that formally certified security professionals on average are commanding about 10% to 15% higher salaries than noncertified individuals in comparable roles. Among the certification programs commanding the highest premiums were Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM). (Computerworld)
CISM was listed as the 2nd highest paid certification in Certification Magazine’s 2007 salary survey.
Recent Significant CISM Certification Board Actions
Approved to certify professors who pass the CISM Exam and who have a minimum of 6 years experience in security management research and teaching.
ANSI Accreditation
The American National Standards Institute (ANSI) has awarded accreditation under ISO/IEC 17024 to the Certified Information Security Manager (CISM) in 2005.
Accreditation by ANSI signifies that ISACA’s procedures meet ANSI’s essential requirements for openness, balance, consensus and due process.
Reaccredited in 2006 and 2007. Currently being assessed for 2008.
CISM Preparation Related Education Activities Updated CISM Review instructor-led-training (ILT)
course provided to ISACA chapters Updated topics and notes Added a course training guide Added 100 question sample exam (sorted by domain and
scrambled) Recruited more than 100 CISM subject matter experts
to participate in the development of the 2009 CISM Review Manual
Converted sample questions on ISACA web site to on-line CISM self-assessment
Modified the manner in which the CISM Questions, Answers and Explanations Manual and Supplement are developed to be more consistent with how the CISM Test Enhancement Committee develops questions
Recruited experienced CISM TEC members to participate in QAE development
CISM Preparation Related Education Activities
CGEIT Certification Current Facts
364 CGEITs as of 26 June 2008
All certified via the grandfathering provision
Grandfathering provision ends 31 October 2008
Until 31 October 2008, can apply for certification as a CGEIT without being required to pass the CGEIT examination. Requires: 1. Submit evidence of appropriate work experience 2. Agree to adhere to the ISACA Code of Professional Ethics 3. Agree to comply with the CGEIT Continuing Professional Education Policy
Work ExperienceIn order to qualify for the CGEIT certification under the grandfathering provision an
applicant must provide evidence of management, advisory or oversight experience associated with the governance of the IT-related contribution to an enterprise. Eight (8) years of such experience is required and is defined and described specifically by the CGEIT job practice domains and task statements. Specifically, an applicant must have: a minimum of one year experience related to the development and/or
maintenance of an IT governance framework (CGEIT domain one (1) see page V1) and;
additional broad experience directly related to any two or more of the remaining domains (CGEIT domains two (2) through six (6) see page V2)
Requirements to Become a CGEIT under the Grandfathering Provision
Advanced (post-graduate) degrees and certificates, up to three (3) of the eight years of required experience can be substituted as follows:
Two-Year Substitution—Other Management Experience: Up to two (2) years of experience may be substituted for other management experience gained that is not specific to IT governance (e.g. consulting, auditing, assurance or security management role that is unrelated to the CGEIT domains).
One-Year Substitution—Credentials, Advanced (post-graduate) Degrees and Certificates: One (1) year of experience may be substituted for each credential held (in good standing), advanced (post-graduate) degree or certificate program which includes an IT governance and/or management component or are specific to one or more of the CGEIT domains. These include:
Certified Information Systems Auditor (CISA) issued by ISACA Certified Information Security Manager (CISM) issued by ISACA Implementing IT Governance Using COBIT certificate issued by ISACA (available in 2008) ITIL Service Manager certification program Chartered Information Technology Professional (CITP) issued by the British Computer Society Certified Information Technology Professional (CITP) issued by the American Institute of CPAs Project Management Professional (PMP) issued by the Project Management Institute Information Systems Professional (I.S.P.) issued by the Canadian Information Processing Society Certified Internal Auditor (CIA) issued by the Institute of Internal Auditors Certified Business Manager (CBM) issued by The Association of Professionals in Business Management Advanced (post-graduate) degree from an accredited university in governance, information technology, information
management or business administration Prince2—Registered Practitioner certificate from the Office of Government Commerce
Applicants who have earned/acquired other credentials, advanced degrees and/or certificates that include a significant IT governance and/or information management component and are not listed above are welcome to submit them to the CGEIT Certification Board for consideration.
Requirements to Become a CGEIT under the Grandfathering Provision
Current CGEITs in the Workplace
14%
12%
9%
28%
16% 21%C-Suite
IT Dir/Man/Cons
IT AuditDir/Man/ConsSecDir/Man/ConsCompl/RiskDir/Man/ConsOther
CGEIT Job Roles
CONSTITUENT ROLES KEY RESPONSIBILITY
BUSINESS and IT MANAGEMENT Oversee the development & maintenance of the IT strategic plan and develop control frameworks.
PROJECT MANAGEMENT Controlling the delivery of IT programs/projects to the business
AUDIT & ASSURANCE RELATED POSITIONS
Monitor & review the enforcement of policy compliance, both internal and external.
SECURITY RELATED POSITIONS Oversee the development & maintenance of the information security strategy, plan and program
IS/IT RELATED POSITIONS Managing enterprise architecture including infrastructure and applications.
RISK MANAGEMENT Oversee the development & maintenance of the risk strategy, plan & program.
Current CGEITs by ISACA Geographical Area
Asia/Mid-East15% Cen/South
America5%
Europe/Africa21%
North America58%
Oceania1%
Current CGEITs (10 or more) by Country
188 USA
20 Canada
14 Japan
10 Belgium
10 UK
10 Spain
Current CGEITs – Other Demographics
41% of CGEITs come from the technology services/consulting field
23% of CGEITs work in the financial services industry
82% of CGEITs have an Advanced Education Degree44% have an Masters Degree5% are Ph.D’s
CGEIT Grandfather Applications and Process
740 applications received as of 26 June 2008Approval rate is 94%Approvals require review and approval of
CGEIT Certification Board membersTakes approximately 6-10 weeks to review
CGEIT Exam
Exam will be 120 multiple choice questions. Many questions will be scenario based.
Exam question emphasis based on CGEIT “job practice” survey”
Four hours provided to complete
Offered at the same time and same test locations as CISA and CISM
CGEIT Exam Domain Percentages
15%
13%
12%
20%
15%
25% IT Gov Framework
StrategicAlignmentValue Delivery
Risk Management
ResourceManagementPerformanceMeasurement
CGEIT Preparation Materials
Initially there will not be a CGEIT Review Manual or sample questions for exam preparation.
Reference list of key publications and periodicals is available at www.isaca.org/cgeitreferences
References divided into primary and other Primary references (should be used for study)
• publications that address the CGEIT domains and the use of an IT governance framework
Other references (can be used for study)• Often address an aspect or approach to IT governance
Trivia
ISACA is recognized as a worldwide leader in what three areas?
ISACA is recognized as a worldwide leader in what areas?
IT GovernanceInformation Security
IT Assurance
What year was ISACA founded?
What year was ISACA founded?
1969
What was the original name of ISACA?
What was the original name of ISACA?
EDP Auditors Association
What is the new ISACA slogan listed on the new ISACA logo?
What is the new ISACA slogan listed on the new ISACA logo?
Serving IT Governance Professionals.
What year was the Central Ohio chapter founded?
What year was the Central Ohio chapter founded?
1978
What is the name of the technical journal ISACA publishes?
What is the name of the technical journal ISACA publishes?
Information Systems Control Journal
What is the new ISACA certification and what does the acronym stand for?
What is the new ISACA certification and what does the acronym stand for?
CGEIT
CERTIFIED IN THE GOVERNANCE OF ENTERPRISE IT
What is the name of the research foundation that is funded by ISACA?
What is the name of the research foundation that is funded by ISACA?
IT Governance Institute (ITGI)
What is the name of the membership newsletter distributed by ISACA?
What is the name of the membership newsletter distributed by ISACA?
Global Communiqué
How many members are currently on our chapter’s board? (Extra for first names.)
How many members are currently on our chapter’s board? (Extra for first names.)
11Brian MelissaMike B SchlaineChuck ChrisMatt RyanRich Mike KJoseph