.

CISA

<<

Robert024

Newbie
Newbie

Posts: 3

Joined: Fri Apr 15, 2011 4:47 pm

Post Mon May 16, 2011 4:36 pm

CISA

Hi,
I am a Service Desk manager and my organization requires that I obtain one of five types of certifications: CISA, CISSP, GSE, SCNA or GCIH.  My background is in technology management, people and processes.  After looking over the choices CISA seems the fit best.
I will need to attend a “boot camp,” and engage in some serious self-study.  But, I wanted to explore other in-class learning that might help.  My ideal model is the UCSD Extension course CISSP.
Any advice is appreciated.
Robert
Last edited by Robert024 on Mon May 16, 2011 4:44 pm, edited 1 time in total.
<<

WCNA

User avatar

Full Member
Full Member

Posts: 187

Joined: Wed Mar 02, 2011 8:05 am

Location: Florida

Post Mon May 16, 2011 8:34 pm

Re: CISA

No real advice here but I read somewhere that there was a large need for CISAs (bunches listed on job sites) so you picked a good one to have on your resume, especially if your company is paying for it! After I take the CISSP exam I will be applying for Auditor jobs. All the CISA training I found seemed to be too expensive for me to pay out of pocket.
ISC2 Associate, WCNA, CWNA, OSCP, Network+
<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Tue May 17, 2011 9:52 am

Re: CISA

If you really want to learn something, do CISSP. For the CISA you can study by yourself, and then pass the exam. I warn you that it could be very boring.

For the CISSP I recommend you to read once the Shon Harris's book, and then go to the boot camp. That way you'll benefit most from the boot camp.
Otherwise you'll get lost in the information you'll receive and you'll brain will start thinking at something else, seriously. :)

GSEC is another good starting point. You'll get some technical skills, not only theory.
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Tue May 17, 2011 4:03 pm

Re: CISA

WCNA wrote: All the CISA training I found seemed to be too expensive for me to pay out of pocket.


Check the local ISACA chapter. Many conduct CISA/CISM/etc review courses a couple months before the exams. I took a CISA review course through the Tampa (west FL) ISACA chapter back in 2007 or 08 and I think it was less than 400.00 with the books. That's really not that expensive and it was pretty decent prep for the exam. Ours was structured so that a local "expert" for each of the modules was brought in with the CISA trainer facilitating and providing consistency for training delivery.

That being said, the mindset elicited from CISA will lead a security tester to being a mindless drone. For understanding of the CISA domains and basic audit mindset it's pretty good, but I usually groan internally when I get a CISA certified pentester (even though I'm a CISA as well)
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

Robert024

Newbie
Newbie

Posts: 3

Joined: Fri Apr 15, 2011 4:47 pm

Post Thu May 19, 2011 9:33 am

Re: CISA

tturner wrote:
WCNA wrote:That being said, the mindset elicited from CISA will lead a security tester to being a mindless drone. For understanding of the CISA domains and basic audit mindset it's pretty good, but I usually groan internally when I get a CISA certified pentester (even though I'm a CISA as well)


tturner,
Why are the CISAs you encountered "pentesters," and how have you avoided becoming one?
Robert
<<

Robert024

Newbie
Newbie

Posts: 3

Joined: Fri Apr 15, 2011 4:47 pm

Post Thu May 19, 2011 9:34 am

Re: CISA

All,
Thank you for the words of wisdom.
Robert
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Sun Jun 05, 2011 9:41 pm

Re: CISA

Robert024 wrote:tturner,
Why are the CISAs you encountered "pentesters," and how have you avoided becoming one?
Robert


You'd have to ask them why they are pentesters. In my opinion many of them should not be. I've found many do not understand risk, and cannot step outside their rather limited compliance mindset for the sake of a checkbox mentality. Understanding why the server team has not been patching servers in a very long time is probably more important than getting a single obscure patch that has a public exploit, but that tends to be the kind of thing my CISA auditors have gone into alarm condition on.

For me personally (and you really need to understand your business culture here to understand what motivates your leadership), I use compliance as a tool for security budget and then do what I can to shoehorn that budget into meeting compliance objectives and addressing real risk based (or in many cases threat surface reduction based) security concerns which usually include pentests both in-house and outsourced.

CISA's also seem to get bogged down in processes like "Oh dear, you have not implemented best practice process number 237?" without understanding that best practices regardless of who defined them are only valid best practices for the organization that developed them or at best the set of organizations that contributed to the standard. I do tend to look at the meta issues myself when problem solving, but some of these process frameworks are quite laborious for no real value add. I don't want to go on an ITIL or CobIT rant because there's actually some really terrific stuff in both ITIL and CobIT (and many other frameworks), but I've had a few auditors that refused to believe an organization was doing the right things unless they were blindly adopting the entirety of some of these frameworks. That's just ludicrous. <insert Logical Fallacy>

Robert024, You ask how I avoided becoming one? I immerse myself in hackery, focus on the core business value that can be derived from my tests and try to remember that compliance pays the bills.
Last edited by tturner on Sun Jun 05, 2011 9:44 pm, edited 1 time in total.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

jbt52

Newbie
Newbie

Posts: 15

Joined: Tue Mar 22, 2011 1:30 pm

Post Tue Jun 21, 2011 2:33 pm

Re: CISA

alucian wrote:If you really want to learn something, do CISSP. For the CISA you can study by yourself, and then pass the exam. I warn you that it could be very boring.

For the CISSP I recommend you to read once the Shon Harris's book, and then go to the boot camp. That way you'll benefit most from the boot camp.
Otherwise you'll get lost in the information you'll receive and you'll brain will start thinking at something else, seriously. :)

GSEC is another good starting point. You'll get some technical skills, not only theory.


The CISSP requires 5 years of experience, so it is not quite like getting other, less advanced certs, but is certainly worth considering.

As for affordability, there are a lot of places online for both the CISA and CISSP that you can get self study materials for very cheap, if you decide to go the self study route, which is what I prefer. I know Technologycerts has a deal on a lot of their training for like $100 right now, so anyone could afford to get certified/trained.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Wed Jul 13, 2011 12:12 am

Re: CISA

jbt52 wrote:The CISSP requires 5 years of experience, so it is not quite like getting other, less advanced certs, but is certainly worth considering.

As for affordability, there are a lot of places online for both the CISA and CISSP that you can get self study materials for very cheap, if you decide to go the self study route, which is what I prefer. I know Technologycerts has a deal on a lot of their training for like $100 right now, so anyone could afford to get certified/trained.


It's only four if you have one of many other certifications or qualifying degree. The CISA also has an experience requirement.
The day you stop learning is the day you start becoming obsolete.
<<

kennut

User avatar

Newbie
Newbie

Posts: 46

Joined: Thu Apr 16, 2009 10:41 pm

Post Wed Aug 10, 2011 5:07 am

Re: CISA

think of it, if you're taking CISA - you need to have a mindset of an IT auditor

if taking CISM - then you have to have Information Security manager mindset

but for CISSP is more on operational IT security mindset.

given that you company is paying for it, just go for it. however, the exam is not easy, a lot of people can pass the exam because there is a pattern to it (hint- the Q&As samples), but you need to know what they will ask. this goes the same for CISM too.
Done all 3 certs, now going for CISSP.....

Return to Security

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software