Title: ISACA 2005 Model Curriculum for IT Audit Education: A Measure of Excellence
1ISACA 2005 Model Curriculum for IT Audit
Education A Measure of Excellence
- Fred Gallegos, CISA, CDE, CGFM
- CIS Faculty, MSBA - IS Audit Advisor
- California State Polytechnic University, Pomona
CA (A Center of Academic Excellence in
Information Assurance Education 2005 by DHS/NSA)
2Issues and Concerns
- Educating Business
- Educating Students
- Community College
- K-12
- Developing IT Audit, Control and Security
Professionals - Securing Cyberspace
- Securing New Technology Implementation
3Educating Business
- Why Information Assurance?
- Security Return on Investment
- Best Practices
- Need to Protect, Secure and Monitor
4In Business - Who Performs IT Audits And Security
Reviews
- The Internal Auditor and Security Functions (IT
and/or Corporate) - The External Auditor and IT Security Consultants
- Big Four CPA Firms
- Government Auditors (The Final Validators)
5Skills Needed to Perform IT Audit and Security
Reviews
- Business Experience
- IS Education and/or Experience
- Accounting Education and/or experience
- Oral Communication and presentation skills
- Written communication skills
- Analytical skills
- Ability to work in a team environment
- Ability to use the computer to audit through the
computer - Continuous self development
6IT Audit, Control and Security is within the
Information Assurance Domain
- IT Audit, Control and Security is a profession
and career. - Career development and professional support will
continue to grow and evolve. - Career opportunities will continue, and the
demand will continue. - And this is a field that wont be outsourced
internationally
7Educating Students
- Professional Ethics (NSF grants, ITEST)
- Need to teach the right ways early (K-12)
- Need to inform, understand why and be wary of
the consequences - -CMUs Mysecurecyberspace.com
- Need to move to Community College and K-12 Level
8RISSC Vision
9Developing I A Professionals
- Professional Associations
- ISACA (CISA and CISM)
- IIA (CIA)
- ACFE (CFE)
- ISSA (CISSP)
- AGA (CGFM)
- AICPA (CPA)
- Universities
- Colleges of Engineering, Science and Business
- Designers and developer of IA, reviewers and
evaluators of IA
10Securing Cyberspace
- US Plan to Secure Cyberspace
- NIST Rollout of Drafts
- Computer Security Certification and Accreditation
- HIPAA Secure Policy Enforcement SP800-66
- Voice of Business Technet.org
- Professional Associations
- ISO 17799 (Updated June 2005)
11Department of Homeland Security and National
Security Agency
- California State Polytechnic University, Pomona
CA selected June 2005 - At NSA site
- Information Assurance Courseware Certification
Program - NITISSI 4011, 4012, 4013, 4014, 4015, 4016
- Academic Center of Excellence in Information
Assurance Education
12Information Systems Audit and Control Association
(ISACA)
- Started in 1967
- Today, ISACAs membershipmore than 50,000 strong
worldwideis characterized by its diversity.
Members live and work in more than 140 countries
and cover a variety of professional IT-related
positions
13ISACA Certifications
- CISA - CISA (Certified Information Systems
Auditor) is ISACA's cornerstone certification.
Since 1978, the CISA exam has measured excellence
in IS auditing, control and security. - CISA has grown to be globally recognized and
adopted worldwide as a symbol of achievement. The
CISA certification has been earned by more than
44,000 professionals since inception
14CISM
- CISM (Certified Information Security Manager) is
ISACAs groundbreaking credential earned by over
5,500 professionals in its first two years. It is
for the individual who must maintain a view of
the "big picture" by managing, designing,
overseeing and assessing an enterprise's
information security.
15Outreach to Students, Educators and Universities
- Discount Membership to Students
- Academic Advocate Program
- Model Curriculum for IS Audit and Control
16The Model
- The ISACA 2004 Model Curriculum for Information
Systems Audit and Control can be viewed as a
reasonably comprehensive set of topics for an
ideal program for IS audit and control. - The model curriculum provides a goal for
universities worldwide to strive toward in
meeting the demand for educating future IS
professionals
17Audit Programs Currently in Alignment with The
Model
- Those Universities found to be in alignment with
the ISACA Model Curriculum. Graduates of these
programs qualify for one year work experience
toward the Certified Information Systems Auditor
(CISA) designation - Listed on ISACA Webpage as compliant
18Can Apply to Undergraduate or Graduate Programs
who meet requirements (244)
- Area 1 - Audit Process Domain (58)
- Area 2 Management, Planning and Organization
of - IS Domain (37)
- Area 3 - Technical Infrastructure and
- Operational Practices Domain
(37) - Area 4 Protection of Information Assets Domain
(29) - Area 5 Disaster Recovery and Business
Continuity Domain (12) - Area 6 Business Application Systems
Development, - Acquisition, Implementation and
Maintenance - Domain (52)
- Area 7 Business Evaluation and Risk Management
Domain (19)
19(No Transcript)
20Compliance Grid for the ISACA Model Curriculum
for IS Audit and Control
- To map a program to the ISACA Model Curriculum
for IS Audit and Control, enter the name of the
course(s) or session(s) in the program that
covers each topic area or subtopic description
along with the amount of time (in hours) devoted
to covering the topic in each table. If a
described topic is not covered, record a 0 (zero)
in the column for contact hours. - To be in compliance with the model, the total
time spent in hours should be at least 244 hours
and all areas in the model should have reasonable
coverage. - Note When mapping a graduate program, include
the prerequisites from the undergraduate program.
21The Process
- Identify all direct and support courses that
apply to the program. - Make sure the current syllabi or expanded course
outlines and support materials for the courses
are accessible. It takes approximately 16 hours
to complete the mapping, if expanded course
outlines are available from which information can
be extracted.
22The Process
- Proceed one by one. Select the first course in
the program, examine the elements and subject
matter, and map to the model. Literally proceed
week by week. - Use key words from the ISACA template subtopics
to search the syllabi to identify matches. Once
that match is made, estimate the amount of time
the subject was covered based on the coursework.
23The Process (Continued)
- If unsure of the content of the subject covered,
go to the textbook and PowerPoint
slides/materials used. Note that generic titles
used often cover more than what is implied. - Remember to allocate the time per course and
identify the course covering each subject. For
example, a quarter system may have 10 weeks and
four contact hours per week (40 hours) but, some
courses may have lab or project requirements that
may result in more than 40 hours.
24The Process (Continued)
- Map course by course and keep track of
allocation. This is easiest for those familiar
with the program and who have the information
available. - After completing all courses, go back and
double-check that the selections/placement are
the best possible and seem reasonable.
25Last
- Have a colleague check the mapping
26Then
- Submit the completed tables to ISACA for review
by e-mail, research_at_isaca.org, - fax 1.847.253.1443, or mail to the attention of
the director of research, standards and academic
relations at ISACA, 3701 Algonquin Road, Suite
1010, Rolling Meadows, IL 60008, USA. - If the program is found to be in compliance with
the ISACA Model Curriculum for IS Audit and
Control, the program may be posted on the ISACA
web site and graduates of the program will
qualify for one year of work experience toward
the Certified Information System Auditor (CISA)
certification.
27US Universities Compliant
- Bowling Green University
- University of Mississippi
- California State Polytechnic University, Pomona