Certified Information Security Manager (CISM) is a certification for information security managers awarded by ISACA (formerly the Information Systems Audit and Control Association). To gain the certifications, individuals must pass a written examination and have at least five years of information security experience with a minimum three years of information security management work experience in particular fields.
The intent of the certification is to provide a common body of knowledge for information security management. The CISM focuses on information risk management as the basis of information security. It also includes material on broader issues such as how to govern information security as well as on practical issues such as developing and managing an information security program and managing incidents.
The point of view in the certification is that of widely accepted cross-industry best practices, where information security gets its justification from business needs. The implementation includes information security as an autonomous function inside wider corporate governance.
Certified Information Systems Auditor (CISA) is a globally recognized certification in the field of audit, control and security of information systems. CISA gained worldwide acceptance having uniform certification criteria, the certification a high degree of visibility and recognition in the fields of IT security, IT audit, IT risk management and governance. Vacancies in the areas of IT security management, IT audit or IT risk management often ask for a CISA certification. The certification is challenging and is associated with a high failure rate. CISA is awarded by the Information Systems Audit and Control Association (ISACA)
- For Organisations to have an effective Enterprise-Network solution, the infrastructure has to be at a level of support such that minimum downtime is experienced by the organisation.
- High-speed networks are built with devices such as Core and Edge Switches, Routers, Radios, etc, the continued availability of your network resources is a function of the state of health of these components and devices. A failure of a router could lead to disastrous situations hence both on-site and off-site support become crucial for organisations to experience optimum performance from their network solutions.
- Our main focus in this type of engagement is to provide component and device level training and support for Organizations, whilst your local Engineers will be trained to provide levels 1 and 2 support. This could be by phone or internet service routines where off- site is the case.
- In a similar vein, the on-site support runs at three levels; where on-site engineers try to resolve problems, unable to do so, they can escalate it to the second and third levels of support respectively
Core capacity building issues for Engineers include:
- Proper operation of general computer systems, including: PCs, thin client terminals, printers, fax machines, UPSs, stabilisers, etc.)
- Systems Maintenance & 1st Level troubleshooting of general computer systems
- Server hardware configuration
- Remote server management, using OEMmanagement tools
- UPS-driven shut-down of servers
- Fundamentals of LANs & WANs, structuredcabling (UTP, & power), data switches, andbroadband wireless infrastructures
- Maintenance & 1st Level troubleshooting of the installed structured cabling infrastructures and data switches.
- Fundamentals of routers and network routing
- Fundamentals of voice-over-IP technologies
- Fundamentals of network security, (incl. firewall& VPN technologies)
- Maintenance & 1st Level troubleshooting of thesecurity and voice/IP-enabled gateway routersat the LG/LCDAs/SA’s ICT Centres
- Written Exam – of all the above subjects
- Practical Exam – Hands-on use &troubleshooting of the equipment
- Incident Response is a generalised term that refers to the immediate response by a person or an organization to an attack.
- This can be from an internal employee or via malicious external sources to include crackers and/or terrorists. An organised and careful reaction to an incident can mean the difference between complete recovery and total disaster.
- When an incident has occurred or is detected, the forensic investigation processes used are vital. Correct procedures ensure that evidence remains sound when being located and extracted from applicable devices and media.
- Approaches may range from the use of simple data recovery and disk mirroring tools to complex techniques such as the application of reverse engineering to enable the investigator reconstruct the evidence needed to prosecute the offender.
- When computer systems security has been breached and the evidence source destroyed, our forensic investigators will assist in:
- Locating and retrieving electronic evidence from many devices which include:
- Servers/ Desktops/Laptop
- Zip Drives/ Back-up Tapes
- USB devices
- PDA’s/Mobile Phones
- Digital Cameras
- Network Traffic
- E- Mails Communications
- Forensic report is generally raised to be used to prosecute the offender
- Locating and retrieving electronic evidence from many devices which include:
- Conducting an investigation under a properly controlled environment
- Generating forensic evidence that is tenable in any court of law
- Generating forensic investigation report based on all material evidence that will help control the crime.
- Some of the most respected companies in the world such as World Com, Enron, Anderson, Xerox, Tyco and even Halliburton in Nigeria have been indicted of some degree of financial scandals.
- In another development, employees often steal their employers’ blind. When the enemies within bilk their companies of their money, they do so via manipulation of financial records and statements with tracks fully covered or completely erased.
Our engagement in this area is focused on resolving allegations of infractions on company policies, irregularities and all other forms of financial impropriety from inception to conclusion using Forensic Techniques. We also assist organisations in developing and implementing Corporate Fraud Policy to protect the rights of Auditors or Forensic Investigators in the company and at the same time excluding the usual “Rights of Privacy” claims by perpetrators.
- To evaluate potential exposures in the financial system and recommend appropriate controls to close the “fraud gaps”
- Assisting institutions to develop and install effective Fraud Policy in place
- Help in resolving allegations of Fraud from inception to conclusion
- To generate competent and accurate Forensic Report that will be tendered in any court of law should there be a need to do so.
Main tracks in this assignment include:
- Identifying Common Symptoms of Fraud and Irregularities in Books, Records, and Computer Data: Understanding the “Red-Flags”.
- Motivations for Fraud and other Commercial Dishonesty: Controlling the Deviant Behavior in the Business Place.
- Establish Sociological Causes of Fraud and other White-Collar Crime in Organisations and Agencies of Government.
- Checkmate incidents of Cheque and Protection Strategies.
- Embezzlement Schemes and Loss Prevention Strategy.
- Resolve High-Tech Fraud
- Use Interviewing Techniques in Fraud and Forensic Investigation
- Evidence gathering and Analytical Methodologies in Forensic Investigation
- Issues of Code of Conduct as a Way of Mitigating Unethical Business Practices in Organizations
- Methods and Techniques for Computer and Accounting Forensic Investigation
- Criminal Prosecution for Fraud and Financial Crimes: Arrest, Searches, Seizures, Pre-Trial Guidelines and Sentencing Procedures
IT Policies, Procedures and Forms give an assurance of a perfect alignment of organisation’s business strategy with her IT strategy. Institutions whose IT strategy is not in perfect alignment will be in any of the following status:
- Entropy -A state of gross misalignment;
- Misfit – collaboration between functions and processes is minimal;
- Mixed – a state of mixture of alignment and misalignment; here a reasonable number of functions and processes are “kind” of going in the same direction;
- Threshold – a minimal level of alignment exist so that products and services can move through the value chain and to the customer; and
- Harmony – general and continuing state of perfect alignment.
To understand the objectives of this engagement, the following key questions need to be answered:
- Is your IT resources adequately supporting your major business objectives?
- Can you reduce the cost of core processes, or can you deliver a higher quality service?
- Can IT help you ‘tie in’ to your profitable customers and business partners on a long-term basis?
- Is IT improving staff satisfaction and motivation to higher productivity?
- Can new products and services be created? Can IT help you gain new markets and improve market penetration?
- Can you derive better and more timely management of information?
- How can your company’s information and knowledge be managed as a resource?
- What new technologies are emerging and how can they be used in the future to address changing needs of the enterprise?
- Is your IT function managed as a business?
- Have you leveraged on Image Processing and Paperless Systems and Models (IPPS) to deliver quality service?
- Do you have a good support system backing you to ensure low downtime during mild or sever interventions?
The answers to the above, lie in developing and deploying IT policies, procedures and forms that will not only ensure a state of harmony, but a perfect alignment of your IT objectives with your Business objectives and guarantee value for your IT spend- the state will be achieved in a manner which provides sustainable competitive advantage to the institution. That is the main focus of this domain of our service delivery.
- Michael Comer, the author of corporate fraud once stated that; “If you want to catch a thief, you have to behave like a thief”.
- It is truism that no system in the world is foolproof. This means that your IT security can be compromised any time any day, even by the enemies within. In the general parlance, Computer Hacking connotes evil, but indeed, the Computer Hacker is the good Guy, who will help you identify penetration loopholes in your IT infrastructure and at the same time generate commensurate countermeasures for these loopholes.
- Our core mission in this kind of engagement is to create Ethical Hackers in your environment who will in turn STOP the CRACKER who will want to defy all odds to cause INHARMONY in your systems environment
- Our core objective here is in developing computer hacking skills in your IT and other control staff such as in bank examiners, internal auditors, etc. We will also carry out vulnerability assessment that will include penetration testing to determine where the loopholes are and develop effective countermeasures.
This kind of engagement is usually long-term in nature and could be on- going for some time.
- Corporate Governance is all about power and responsibility sharing and setting policies, procedures and standards and making sure that entity’s personnel imbibe established corporate ‘Ethic’ as molded by these policies and standards which will give ultimate assurance that entity’s objectives are met.
- By the same token, the Board or other Top Officers of the company must ensure that IT polices are aligned with corporate polices in other to avoid a state of Strategic Misfit. It is only then that management can have an effective score line for the benefits of IT deployment in organizations/agencies of Government.
As businesses and organizations demand for high-speed information transfer, computer networking provides a level of connectivity and consequently a virtual office which helps to achieve a higher degree of customer satisfaction. However, the bulk of the concerns lie in controlling the basic network infrastructures, as well as meeting the growing need for availability and high performance, especially as computer networks are increasingly handling mission-critical applications. Occasionally, legitimate employees become the “Risk Agents” and pose a higher level of threats to the entity’s Enterprise-Network Environment.
Our Service Process
- In this kind of environment, IS Audit Assurance and Security will provide the following benefits for your organization:
- Establishment and Deployment of an Effective and Efficient IS Audit Environment that guarantees
- IS Controls Monitoring and Compliance through Application Systems Audit Activity
- Computer-Assisted Audit Techniques for Data Extraction and Analysis to produce electronic evidence of completeness, and accuracy of transaction processing using Interactive Data Extraction and Analysis (IDEA) CAAT
- Vulnerability Assessment to ensure that Enterprise- Network Perimeter is not compromised
- Penetration Testing and Confirmation to ensure that Infrastructural components and devices are in top form and are functioning properly
- Assurance of a comprehensive and documented Disaster Recovery Plan and that Systems Contingency Plans are in place
- Assurance that there is an IT policy in place which serves as a reference guide for all IT projects
- Assurance that there is adequate support for all IT projects (Hardware and Software)
- Activity Format
- Audit Assurance activity could either be outsourced completely or have it deployed in your environment and then run a series of hand-holding with the client’s audit staff after some skills impartation process (Training).
The main objective of this engagement is to provide expert assistance to the client in Development and installing an IS Audit Assurance Function that is innovative and dynamic too.
One important success factor in business service delivery remains availability and up- time. Where companies and other mission-critical institutions cannot guarantee minimum down time in times of interruptions which can be man-made or by force-majeure, organizations pay dearly for it. Instances where Board of Directors were sued by other stakeholder for the Board’s inability to recover from a major peril abound.
Our service point in this area is to help organization develop and implement an effective Systems Contingency Plan and DRP that will stand the test of time.
Our Disaster Recovery planning will incorporate the following pattern:
- Critical Assessment
- Non-Critical Assessment
- Sensitive Assessment
- Non-Sensitive Assessment
- Business Impact Analysis
- Developing Recovery Alternatives
- Testing a selected alternative
- Implementing a selected alternative
- Continuous Auditing and Monitoring of the DRP
- Truthfully, the survival or failure of any organization; being it public or private entity hinges on the human capital component. Best run and most successful organizations around the world (e.g Microsoft, IBM, etc) have been know to rank the human asset ahead of all other organization’s assets; hence a lot more investment is made on the human capital resources of these Organizations by way of skills development and improvement programmes.
- Our core mission in this area therefore, is to help Organizations to develop, set, design and implement their strategic Human Capital Polices and Resources that are innovative and forward looking
The core business solutions provided in this domain is tailored towards helping organizations and institutions of government build capacities in the following areas:
- Finance and related Accounting Services
- Information Technology
- Computer Security
- Management Skills
- Basic and Advanced Computer Skills
- Auditing and Forensic Investigation
- IS Audit Environment Creation and Deployment
- Computer Hacking and Countermeasures
- Computer Forensic and Data Recovery Skills