Information Security processes is just one of the areas comprehensively tested by the CISA certification examination.
The examination requires some work experience in either auditing or in the Infotech industry to even allow qualification, and is a strenuous test of six crucial aspects of the Infotech auditing.
The examination itself is over four hours long, and is extremely comprehensive to say the least.
Let us discuss one of the content areas tested by the examination in detail.
Information security processes includes the accurate and precise identification of crucial evidence, and subsequently, collecting, collating and recording that evidence reliably enough that it can be used later without question.
This is integral to the entire process - if one cannot be assured of the integrity of ones data, one finds that the entire auditing process becomes flawed.
Flawed data leads to flawed assumptions, which then lead to flawed conclusions - and these lead to misguided policies and strategies, and before one knows it, the entire process has failed.
So the competent auditor is absolutely meticulous in how he or she identifies and then collects evidence, information or other crucial data, right through to storing this in records that are easily and accurately accessible, and then finally, to using the collected data and evidence correctly.
Where is evidence gathered from? This is a painstaking process and involves both personal observations and the interviewing of people inside and outside the business. A good auditor cultivates considerable 'people skills', as this will lead to his or her evidence gathering processes being made easier.
Focusing subtly on the topic in hand while engaging the subjects in two-way conversation allows for a far greater retrieval of crucial evidence than might otherwise be possible.
Remember to target not only employees but external individuals with intimate links to the working structure of the business - support personnel, affiliates, and partnership firms.
Ultimately, all data collection should lead to a thorough understanding of the software infrastructure of the business, the security of data flow on it's networks, and disaster control programs it may have in place - as also the viability and workability of those programs in a real-time emergency.
No comments:
Post a Comment