ISACA 2005 Model Curriculum for IT Audit Education: A Measure of Excellence

1
ISACA 2005 Model Curriculum for IT Audit
Education A Measure of Excellence

• Fred Gallegos, CISA, CDE, CGFM
• CIS Faculty, MSBA - IS Audit Advisor
• California State Polytechnic University, Pomona
  CA (A Center of Academic Excellence in
  Information Assurance Education 2005 by DHS/NSA)

2
Issues and Concerns

• Educating Business
• Educating Students
• Community College
• K-12
• Developing IT Audit, Control and Security
  Professionals
• Securing Cyberspace
• Securing New Technology Implementation

3
Educating Business

• Why Information Assurance?
• Security Return on Investment
• Best Practices
• Need to Protect, Secure and Monitor

4
In Business - Who Performs IT Audits And Security
Reviews

• The Internal Auditor and Security Functions (IT
  and/or Corporate)
• The External Auditor and IT Security Consultants
• Big Four CPA Firms
• Government Auditors (The Final Validators)

5
Skills Needed to Perform IT Audit and Security
Reviews

• Business Experience
• IS Education and/or Experience
• Accounting Education and/or experience
• Oral Communication and presentation skills
• Written communication skills

• Analytical skills
• Ability to work in a team environment
• Ability to use the computer to audit through the
  computer
• Continuous self development

6
IT Audit, Control and Security is within the
Information Assurance Domain

• IT Audit, Control and Security is a profession
  and career.
• Career development and professional support will
  continue to grow and evolve.
• Career opportunities will continue, and the
  demand will continue.
• And this is a field that wont be outsourced
  internationally

7
Educating Students

• Professional Ethics (NSF grants, ITEST)
• Need to teach the right ways early (K-12)
• Need to inform, understand why and be wary of
  the consequences
• -CMUs Mysecurecyberspace.com
• Need to move to Community College and K-12 Level

8
RISSC Vision
9
Developing I A Professionals

• Professional Associations
• ISACA (CISA and CISM)
• IIA (CIA)
• ACFE (CFE)
• ISSA (CISSP)
• AGA (CGFM)
• AICPA (CPA)
• Universities
• Colleges of Engineering, Science and Business
• Designers and developer of IA, reviewers and
  evaluators of IA

10
Securing Cyberspace

• US Plan to Secure Cyberspace
• NIST Rollout of Drafts
• Computer Security Certification and Accreditation
• HIPAA Secure Policy Enforcement SP800-66
• Voice of Business Technet.org
• Professional Associations
• ISO 17799 (Updated June 2005)

11
Department of Homeland Security and National
Security Agency

• California State Polytechnic University, Pomona
  CA selected June 2005
• At NSA site
• Information Assurance Courseware Certification
  Program
• NITISSI 4011, 4012, 4013, 4014, 4015, 4016
• Academic Center of Excellence in Information
  Assurance Education

12
Information Systems Audit and Control Association
(ISACA)

• Started in 1967
• Today, ISACAs membershipmore than 50,000 strong
  worldwideis characterized by its diversity.
  Members live and work in more than 140 countries
  and cover a variety of professional IT-related
  positions

13
ISACA Certifications

• CISA - CISA (Certified Information Systems
  Auditor) is ISACA's cornerstone certification.
  Since 1978, the CISA exam has measured excellence
  in IS auditing, control and security.
• CISA has grown to be globally recognized and
  adopted worldwide as a symbol of achievement. The
  CISA certification has been earned by more than
  44,000 professionals since inception

14
CISM

• CISM (Certified Information Security Manager) is
  ISACAs groundbreaking credential earned by over
  5,500 professionals in its first two years. It is
  for the individual who must maintain a view of
  the "big picture" by managing, designing,
  overseeing and assessing an enterprise's
  information security.

15
Outreach to Students, Educators and Universities

• Discount Membership to Students
• Academic Advocate Program
• Model Curriculum for IS Audit and Control

16
The Model

• The ISACA 2004 Model Curriculum for Information
  Systems Audit and Control can be viewed as a
  reasonably comprehensive set of topics for an
  ideal program for IS audit and control.
• The model curriculum provides a goal for
  universities worldwide to strive toward in
  meeting the demand for educating future IS
  professionals

17
Audit Programs Currently in Alignment with The
Model

• Those Universities found to be in alignment with
  the ISACA Model Curriculum. Graduates of these
  programs qualify for one year work experience
  toward the Certified Information Systems Auditor
  (CISA) designation
• Listed on ISACA Webpage as compliant

18
Can Apply to Undergraduate or Graduate Programs
who meet requirements (244)

• Area 1 - Audit Process Domain (58)
• Area 2 Management, Planning and Organization
  of
• IS Domain (37)
• Area 3 - Technical Infrastructure and
• Operational Practices Domain
  (37)
• Area 4 Protection of Information Assets Domain
  (29)
• Area 5 Disaster Recovery and Business
  Continuity Domain (12)
• Area 6 Business Application Systems
  Development,
• Acquisition, Implementation and
  Maintenance
• Domain (52)
• Area 7 Business Evaluation and Risk Management
  Domain (19)

19
(No Transcript)
20
Compliance Grid for the ISACA Model Curriculum
for IS Audit and Control

• To map a program to the ISACA Model Curriculum
  for IS Audit and Control, enter the name of the
  course(s) or session(s) in the program that
  covers each topic area or subtopic description
  along with the amount of time (in hours) devoted
  to covering the topic in each table. If a
  described topic is not covered, record a 0 (zero)
  in the column for contact hours.
• To be in compliance with the model, the total
  time spent in hours should be at least 244 hours
  and all areas in the model should have reasonable
  coverage.
• Note When mapping a graduate program, include
  the prerequisites from the undergraduate program.

21
The Process

• Identify all direct and support courses that
  apply to the program.
• Make sure the current syllabi or expanded course
  outlines and support materials for the courses
  are accessible. It takes approximately 16 hours
  to complete the mapping, if expanded course
  outlines are available from which information can
  be extracted.

22
The Process

• Proceed one by one. Select the first course in
  the program, examine the elements and subject
  matter, and map to the model. Literally proceed
  week by week.
• Use key words from the ISACA template subtopics
  to search the syllabi to identify matches. Once
  that match is made, estimate the amount of time
  the subject was covered based on the coursework.

23
The Process (Continued)

• If unsure of the content of the subject covered,
  go to the textbook and PowerPoint
  slides/materials used. Note that generic titles
  used often cover more than what is implied.
• Remember to allocate the time per course and
  identify the course covering each subject. For
  example, a quarter system may have 10 weeks and
  four contact hours per week (40 hours) but, some
  courses may have lab or project requirements that
  may result in more than 40 hours.

24
The Process (Continued)

• Map course by course and keep track of
  allocation. This is easiest for those familiar
  with the program and who have the information
  available.
• After completing all courses, go back and
  double-check that the selections/placement are
  the best possible and seem reasonable.

25
Last

• Have a colleague check the mapping

26
Then

• Submit the completed tables to ISACA for review
  by e-mail, research_at_isaca.org,
• fax 1.847.253.1443, or mail to the attention of
  the director of research, standards and academic
  relations at ISACA, 3701 Algonquin Road, Suite
  1010, Rolling Meadows, IL 60008, USA.
• If the program is found to be in compliance with
  the ISACA Model Curriculum for IS Audit and
  Control, the program may be posted on the ISACA
  web site and graduates of the program will
  qualify for one year of work experience toward
  the Certified Information System Auditor (CISA)
  certification.

27
US Universities Compliant

• Bowling Green University
• University of Mississippi
• California State Polytechnic University, Pomona