Thanks Walu with one important area not included in your list:- 1) THE IS AUDIT PROCESS 2) IT GOVERNANCE 3) SYSTEMS AND INFRASTRUCTURE LIFE CYCLE MANAGEMENT 4) IT SERVICE DELIVERY SUPPORT 5) PROTECTION OF INFORMATION ASSETS 6) BUSINESS CONTINUITY & DISASTER RECOVERY MANAGEMENT The following site is also reach on information which many can share from www.isaca.org not forgeting COBIT (Control Objectives on Information Technology). Sorry for all these but I am a mzee trying to remember what teckies should be aware of. Preston --- On Wed, 10/21/09, Walubengo J <jwalu@yahoo.com> wrote:
From: Walubengo J <jwalu@yahoo.com> Subject: Re: [Skunkworks] AUDIT OF IT To: "Skunkworks Forum" <skunkworks@lists.my.co.ke>, "Preston" <podera@k90ea.com> Date: Wednesday, October 21, 2009, 10:30 AM I agree with Ikua/Preston. CISA (Certified Information Systems Auditors) tend to have the big picture - and that's by design. They dont drill down to specific vendor technologies - even though they know what to expect from such technologies. Maybe a snapshot of the course content would help as given below :(ref: www.isaca.org)
1.IS Audit Process 2.IT Governance 3.Infrastructure Lifecycle Development 4.Protection of Information Assets. 5.Business Continuity and Disaster Mngt
And so If am a CISA with a financial/accounting background but need to inspect a Cisco PIX firewall I would be obliged to hire the expertise rather pretend to do it. Ofcourse, If am a CISA and a techie in that area (and there are many like that) I would just proceed and perform the inspection accordingly.
The point is, the Security Ecosystem is so large and each professional in the Security field has an important role to play. Trying to establish who is better than the other would be like trying to see who btwn the following is better than the other: The Architect who designs the building or the Electrical/Civil/Structural Engineers who provide specialized services within the buildings...rather than begin to research for an answer, I would say it's really a misplaced question to ask.
walu. nb: am a CISA but not an Accountant (so feel free to consider my views biased ;-)
--- On Tue, 10/20/09, Preston <podera@k90ea.com> wrote:
From: Preston <podera@k90ea.com> Subject: Re: [Skunkworks] AUDIT OF IT To: "Skunkworks Forum" <skunkworks@lists.my.co.ke> Date: Tuesday, October 20, 2009, 2:09 PM
If we start from the premise that you cannot be a master of all then Certified Penetration Testers, Systems Engineers, Network Vulnerabilty Experts can only handle their areas but only to the level their knowledge can allow with a scale (1 to 10) depending on whether you gained it from Karamaindo as a college or company. Also hands-on experience plays a greater part including organization culture.
Depending on what has to be audited you need a team of experts!! in the areas being audited. The experts might not be the better than those being audited (Even on Financial Audits this is sometimes the case where junior auditors are sent to companies with least audit experience)but has to make an assurance that the areas being audited are meeting some standards both as defined by the company being audited or guided by international standards.
What is also required is a team leader and that is where Certified Information Systems Auditors come in. These are from various backgrounds including teckies, financials etc..
As Evans indicates One of the ISACA audit standards states that an auditor should use the right expert for the right audit process. This is quite true for all professions. I realized this when putting up a modest palace (needed Architect, Quantity Engineer, Structural Engineer, Foreman Man, Plumber, Electrical Engieer, Loader and a host of other professions while the single process was Putting Up the Palace=IT Audit). In all of these a team work of different professions are required guided by a leader who has received certain qualification where CISA is one of them
Preston
--- On Tue, 10/20/09, Evans Ikua <ikua.evans@gmail.com> wrote:
From: Evans Ikua <ikua.evans@gmail.com> Subject: Re: [Skunkworks] AUDIT OF IT To: "Skunkworks Forum" <skunkworks@lists.my.co.ke> Date: Tuesday, October 20, 2009, 10:58 AM I am a member of the local ISACA chapter, but I will speak for myself. Amolo, I dont agree with you. I recently spoke to a guy from a local shop of the big 5 audit (Finance) firms. He said they do IT audits alright. But they are more interested in seeing how far the IT infrastructure supports the financial figures that they are reporting on. You realize most of accounting nowadays is dependent on IT, as is most of business processes.
But how does an accountant (majority of CISAs are) tell if a DB has been compromised if he does not understand the deep workings of a DB?
As I have said before, the best a CISA can do is to manage the whole process of the IT audit, but not to pretend to be what they are not. One of the ISACA audit standards states that an auditor should use the right expert for the right audit process. If you want to audit a data base, hire a data base expert. If you want to gauge network vulnerability, hire a vulnerability expert, and so on. It's professional negligence, which should attract hefty legal penalties, for a firm to conduct an IT audit, give a clean bill of health, and leave an organization at risk.
Just wait till you hear someone taken to court for professional negligence.
Ikua
On Mon, Oct 19, 2009 at 10:51 PM, Areba Collins <arebacollins@gmail.com> wrote:
Slunks! Whats so hard? IT audit, IT. Finance audit, FINANCE.
On 10/19/09, Paul Roy <roykoikai@gmail.com> wrote:
am liking this... so far Chucks is leading :)
On Mon, Oct 19, 2009 at 5:36 PM, Gichuki John Chuksjonia < chuksjonia@gmail.com> wrote:
So their scope would be Financial Audit?
On 10/19/09, Joshua Amolo <joshua.amolo@gmail.com> wrote:
If you check my mail again Chuks, i talked about SCOPE
On Mon, Oct 19, 2009 at 4:00 PM, Gichuki John Chuksjonia < chuksjonia@gmail.com> wrote:
> @Joshua, yah mistaken. What does an IT Audit compose of. Because a > Code Audit is part of IT Audit, tell us, how can an Finance guy look > for loop holes and bugs in a php code if he doesn't even know how to > write one? > >
> > On 10/19/09, Joshua Amolo <joshua.amolo@gmail.com> wrote: > > I dont think there is naything wrong with a Finance guy auditing IT. > > > > The issue should be what's the purpose of the audit. The purpose will > give a > > clear scope and the necessary competence to undertake the the audit. > > > > For example if you were to audit the financial sense of having a unit > within > > IT, you dont need another IT guy to do this audit. If an auditor > wants > > to > > check conformity to certain standards of your network for example, there > are > > very powerful tools a Finance guy can use. > > > > Cynthia I agree with you sometimes you can endure very unnecessary > questions > > from an incompetent auditor I remember a case where an auditor was > checking > > the competence of a hardware technician and he asked him 'Does the > computer > > has a motherboard?', the technician was so pissed he plainly just > > said > 'no > > this one uses a fatherboard' > > > > > > On Mon, Oct 19, 2009 at 3:04 PM, Joseph McDonald > > <mcdonaldoj@gmail.com>wrote: > > > >> The confusion started,because there are few companies that normally do > >> independent IT audits.In most cases the IT audit is done as an > >> extension > >> of > >> the Financial audits hence you will find many accountants rushed to do > >> CISA.
> >> Secondly in any organisation the three P's are important > (People,Products > >> and Profits) systems and IT for that matter,in most cases are enablers > to > >> help the people,to move the products faster to the market and to > increase > >> efficiency hence profits. > >> > >> There are some IT audits which finance people with can perform > well.While > >> there are some areas which definately require some IT expertise for you > do > >> benefit fully from the said audit. > >> > >> Because a good audit should give the auditee and the organisation ways > for > >> corrective and preventive actions, and continual improvement. > >> > >> > >> On Mon, Oct 19, 2009 at 9:25 AM, Eric Mugo <kabugum@gmail.com> wrote: > >> > >>> A Finance person auditing an IT infrastructure is like a Security > >>> Assessor > >>> auditing the end year results of a company. I find it very ironical > >>> and > >>> old > >>> school thinking from those days when I.T used to Fall under Finance > >>> department/Division. Back then, the systems were simple and geared > >>> towards > >>> very specific tasks. That is no longer the case nowadays. > >>> > >>> A company's systems infrastructure has become very comples, look at a > >>> situation where a company has several DMZ,s each hosting different > >>> systems, > >>> several Server Farms, Webhosting Facilities, a super big ERP....and > then > >>> you > >>> bring an accountant to do a security audit of the systems or rather > >>> perform > >>> an entire audit meaning management, financial and security > >>> audit....forgive > >>> me but i find it plain stupid! > >>> > >>> The positive thing is that most companies are now realising the > >>> importance > >>> of a information security role within their ranks. Once someone in > charge > >>> of > security is in place then chances of being audited on Security by a > CPA-K > >>> are reduced because the I.T guy will spot their incomptencies from > >>> a > mile > >>> away... > >>> > >>> > >>> > >>> > >>> > >>> On Mon, Oct 19, 2009 at 8:33 AM, Edmund Okumu > >>> <edmund.okumu@gmail.com>wrote: > >>> > >>>> Most Audit firms do exactly that. It is not right at all to have a > >>>> finance guy audit IT. Let me state categorically that even if a > finance > >>>> person has taken the CISA exams and passed, they still don't qualify > to > >>>> audit IT as IT audit requires an IT Audit professional with some > >>>> level > >>>> of > >>>> deep understanding in the particular field of audit. Preferably > >>>> the > >>>> IT > >>>> auditor should come from a technical background e.g. Systems
>>>> Development, > >>>> Systems and Network Administration or Database Administration. > >>>> > >>>> Such people employed by audit firms usually right nasty audit reports > >>>> based on findings that do not satisfy the expectations of the > >>>> forms > >>>> downloaded from the Internet. The audit reports therefore do not give > a > >>>> true > >>>> reflection of the particular IT department of interest. > >>>> > >>>> Can someone from ISACA the kenyan chapter respond to this issue > >>>> and > tell > >>>> us the way forward. We need some level of regulation on this. > >>>> > >>>> > >>>> On Sun, Oct 18, 2009 at 6:07 PM, Cynthia Wahome > >>>> <cwahome@jambo.co.ke>wrote: > >>>> > >>>>> Dear All > >>>>> Let me get your thoughts on this. > >>>>> > >>>>> Is it right for a Finance guy to come and do an audit to an IT > >>>>> department > >>>>> yet the Finance guy has no clue about IT. > >>>>> I wont name the audit firm here but i wonder,when they go to the net > >>>>> and > >>>>> download a form then they come and ask you silly questions makes me > >>>>> question them > >>>>> > >>>>> People my question is this > >>>>> Who should do an IT audit? Finance People? or IT People > >>>>> I stand to be corrected
>>>>> > >>>>> > >>>>>
> >>>>> This message has been scanned for viruses and > >>>>> dangerous content by Jambo MailScanner, and is > >>>>> believed to be clean. > >>>>>
> >>>>> "easy access to the world" > >>>>> > >>>>>
> >>>>> Skunkworks mailing list > Skunkworks@lists.my.co.ke > >>>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks > >>>>>
> >>>>> Skunkworks Rules > >>>>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 > >>>>>
> >>>>> Other services @ http://my.co.ke > >>>>> Other lists > ------------- > >>>>> Announce: > >>>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce > >>>>> Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science > >>>>> kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general > >>>>> > >>>> > >>>> > >>>>
>>>> -- > >>>> Edmund C. O. Okumu > >>>> P.O Box 8490-00200, > >>>> Nairobi, Kenya. > >>>> TEL: 254-721-734935 > >>>> > >>>> > >>>>
> >>>> Skunkworks mailing list > >>>> Skunkworks@lists.my.co.ke > >>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
> ------------ > >>>> Skunkworks Rules > >>>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 > >>>> ------------ > >>>> Other services @ http://my.co.ke > >>>> Other lists > >>>> ------------- > >>>> Announce: > >>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce > >>>> Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science > >>>> kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general > >>>> > >>> > >>> > >>>
> >>> Skunkworks mailing list > >>> Skunkworks@lists.my.co.ke > >>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks > >>> ------------ > >>> Skunkworks Rules > >>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 > >>> ------------ > >>> Other services @ http://my.co.ke > >>> Other lists > >>> ------------- > >>> Announce: > >>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce > >>> Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science > >>> kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general > >>> > >> > >> > >>
> >> Skunkworks mailing list > >> Skunkworks@lists.my.co.ke > >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks > >> ------------ > >> Skunkworks Rules > >> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 > >> ------------ > >> Other services @ http://my.co.ke > >> Other lists > >> ------------- > >> Announce: > >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce > >> Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science > >> kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general > >> > > > > > > > > -- > >
----------------------------------------------------------------
> > Joshua Amolo > > Cell: +254 720 263308/+255 783 060052 > > > > > > Managing IT people is like herding cats > >
> > -- > -- > Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P > I.T Security Analyst and Penetration Tester > infosigmer@inbox.com > > {FORUM}http://lists.my.co.ke/pipermail/security/ > http://nspkenya.blogspot.com/ > http://chuksjonia.blogspot.com/ >
> Skunkworks mailing list > Skunkworks@lists.my.co.ke > http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks > ------------ > Skunkworks Rules > http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 > ------------ > Other services @ http://my.co.ke > Other lists > ------------- > Announce: > http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce > Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science > kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >
--
----------------------------------------------------------------
Joshua Amolo Cell: +254 720 263308/+255 783 060052
Managing IT people is like herding cats
-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com
{FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/
Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
-- "Change is slow and gradual. It requires hardwork, a bit of luck, a fair amount of self-sacrifice and a lot of patience."
Roy.
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general