massive re-write from org-publish to weblorg

1 files changed, 205 insertions, 0 deletions

diff --git a/content/blog/2021-12-04-cisa.org b/content/blog/2021-12-04-cisa.org
new file mode 100644
index 0000000..d06eb51
--- /dev/null
+++ b/content/blog/2021-12-04-cisa.org
@@ -0,0 +1,205 @@
+#+title: I Passed the CISA!
+#+date: 2021-12-04
+#+description: A recap of the CISA certification exam and my results.
+#+filetags: :audit:
+
+* What is the CISA?
+For those of you lucky enough not to be knee-deep in the world of IT/IS
+Auditing, [[https://www.isaca.org/credentialing/cisa][CISA]] stands for
+Certified Information Systems Auditor. This certification and exam are
+part of ISACA's suite of certifications. As I often explain it to people
+like my family, it basically means you're employed to use your knowledge
+of information systems, regulations, common threats, risks, etc. in
+order to assess an organization's current control of their risk. If a
+risk isn't controlled (and the company doesn't want to accept the risk),
+an IS auditor will suggest implementing a control to address that risk.
+
+Now, the CISA certification itself is, in my opinion, the main
+certification for this career. While certifications such as the CPA or
+CISSP are beneficial, nothing matches the power of the CISA for an IS
+auditor when it comes to getting hired, getting a raise/bonus, or
+earning respect in the field.
+
+However, to be honest, I am a skeptic of most certifications. I
+understand the value they hold in terms of how much you need to commit
+to studying or learning on the job, as well as the market value for
+certifications such as the CISA. But I also have known some very
++incompetent+ /less than stellar/ auditors who have CPAs, CISAs, CIAs,
+etc.
+
+The same goes for most industries: if a person is good at studying, they
+can earn the certification. However, that knowledge means nothing unless
+you're actually able to use it in real life and perform as expected of a
+certification holder. The challenge comes when people are hired or
+connected strictly because of their certifications or resume; you need
+to see a person work before you can assume them having a CISA means
+they're better than someone without the CISA.
+
+Okay, rant over. Certifications are generally accepted as a measuring
+stick of commitment and quality of an employee, so I am accepting it
+too.
+
+* Exam Content
+The CISA is broken down into five sections, each weighted with a
+percentage of test questions that may appear.
+
+#+caption: CISA exam sections
+[[https://img.cleberg.net/blog/20211204-i-passed-the-cisa/cisa-exam-sections.png]]
+
+Since the exam contains 150 questions, here's how those sections break
+down:
+
+| Exam Section  | Percentage of Exam | Questions |
+|---------------+--------------------+-----------|
+| 1             | 21%                | 32        |
+| 2             | 17%                | 26        |
+| 3             | 12%                | 18        |
+| 4             | 23%                | 34        |
+| 5             | 27%                | 40        |
+| *Grand Total* | *100%*             | *150*     |
+
+* My Studying Habits
+This part is a little hard for me to break down into specific detail due
+to the craziness of the last year. While I officially purchased my
+studying materials in December 2020 and opened them to "start studying"
+in January 2021, I really wasn't able to study much due to the demands
+of my job and personal life.
+
+Let me approach this from a few different viewpoints.
+
+** Study Materials
+Let's start by discussing the study materials I purchased. I'll be
+referring to #1 as the CRM and #2 as the QAE.
+
+1. [[https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004KoCbEAK][CISA
+   Review Manual, 27th Edition | Print]]
+2. [[[[https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004KoCcEAK]]][CISA
+   Review Questions, Answers & Explanations Manual, 12th Edition |
+   Print]]
+
+The CRM is an excellent source of information and could honestly be used
+as a reference for most IS auditors as a learning reference during their
+daily audit responsibilities. However, it is *full** of information and
+can be overloading if you're not good at filtering out useless
+information while studying.
+
+The QAE is the real star of the show here. This book contains 1000
+questions, separated by exam section, and a practice exam. My only
+complaint about the QAE is that each question is immediately followed
+with the correct answer and explanations below it, which means I had to
+use something to constantly cover the answers while I was studying.
+
+I didn't use the online database version of the QAE, but I've heard that
+it's easier to use than the printed book. However, it is more expensive
+($299 database vs $129 book) which might be important if you're paying
+for materials yourself.
+
+In terms of question difficulty, I felt that the QAE was a good
+representation of the actual exam. I've seen a lot of people online say
+it wasn't accurate to the exam or that it was much easier/harder, but I
+disagree with all of those. The exam was fairly similar to the QAE, just
+focusing on whichever topics they chose for my version of the exam.
+
+If you understand the concepts, skim the CRM (and read in-depth on
+topics you struggle with), and use the QAE to continue practicing
+exam-like questions, you should be fine. I didn't use any online
+courses, videos, etc. - the ISACA materials are more than enough.
+
+** Studying Process
+While I was able to briefly read through sections 1 and 2 in early 2021,
+I had to stop and take a break from February/March to September. I
+switched jobs in September, which allowed me a lot more free time to
+study.
+
+In September, I studied sections 3-5, took notes, and did a quick review
+of the section topics. Once I felt comfortable with my notes, I took a
+practice exam from the QAE manual and scored 70% (105/150).
+
+Here's a breakdown of my initial practice exam:
+
+| Exam Section  | Incorrect | Correct | Grand Total | Percent |
+|---------------+-----------+---------+-------------+---------|
+| 1             | 8         | 25      | 33          | 76%     |
+| 2             | 5         | 20      | 25          | 80%     |
+| 3             | 6         | 12      | 18          | 67%     |
+| 4             | 10        | 23      | 33          | 70%     |
+| 5             | 16        | 25      | 41          | 61%     |
+| *Grand Total** | *45**      | *105**   | *150**       | *70%**   |
+
+As I expected, my toughest sections were related to project management,
+development, implementation, and security.
+
+This just leaves October and November. For these months, I tried to
+practice every few days, doing 10 questions for each section, until the
+exam. This came out to 13 practice sessions, ~140 questions per section,
+and ~700 questions total.
+
+While some practice sessions were worse and some were better, the final
+results were similar to my practice exam results. As you can see below,
+my averages were slightly worse than my practice exam. However, I got in
+over 700 questions of practice and, most importantly, *I read through
+the explanations every time I answered incorrectly and learned from my
+mistakes*.
+
+| Exam Section  | Incorrect | Correct | Grand Total | Percent |
+|---------------+-----------+---------+-------------+---------|
+| 1             | 33        | 108     | 141         | 77%     |
+| 2             | 33        | 109     | 142         | 77%     |
+| 3             | 55        | 89      | 144         | 62%     |
+| 4             | 52        | 88      | 140         | 63%     |
+| 5             | 55        | 85      | 140         | 61%     |
+| *Grand Total** | *228**     | *479**   | *707**       | *68%**   |
+
+#+caption: CISA practice question results
+[[https://img.cleberg.net/blog/20211204-i-passed-the-cisa/cisa-practice-questions-results.png]]
+
+* Results
+Now, how do the practice scores reflect my actual results? After all,
+it's hard to tell how good a practice regimen is unless you see how it
+turns out.
+
+| Exam Section | Section Name                                                     | Score |
+|--------------+------------------------------------------------------------------+-------|
+| 1            | Information Systems Auditing Process                             | 678   |
+| 2            | Governance and Management of IT                                  | 590   |
+| 3            | Information Systems Acquisition, Development, and Implementation | 721   |
+| 4            | Information Systems Operations and Business Resilience           | 643   |
+| 5            | Protection of Information Assets                                 | 511   |
+| *TOTAL*      |                                                                  | *616* |
+
+Now, in order to pass the CISA, you need at least 450 on a sliding scale
+of 200-800. Personally, I really have no clue what an average CISA score
+is. After a /very/ brief look online, I can see that the high end is
+usually in the low 700s. In addition, only about 50-60% of people pass
+the exam.
+
+Given this information, I feel great about my scores. 616 may not be
+phenomenal, and I wish I had done better on sections 2 & 5, but my
+practicing seems to have worked very well overall.
+
+However, the practice results do not conform to the actual results.
+Section 2 was one of my highest practice sections and was my
+second-lowest score in the exam. Conversely, section 3 was my
+second-lowest practice section and turned out to be my highest actual
+score!
+
+After reflecting, it is obvious that if you have any background on the
+CISA topics at all, the most important part of studying is doing
+practice questions. You really need to understand how to read the
+questions critically and pick the best answer.
+
+* Looking Forward
+I am extremely happy that I was finally able to pass the CISA. Looking
+to the future, I'm not sure what's next in terms of professional
+learning. My current company offers internal learning courses, so I will
+most likely focus on that if I need to gain more knowledge in certain
+areas.
+
+To be fair, even if you pass the CISA, it's hard to become an expert on
+any specific topic found within. My career may take me in a different
+direction, and I might need to focus more on security or networking
+certifications (or possibly building a better analysis/visualization
+portfolio if I want to go into data analysis/science).
+
+All I know is that I am content at the moment and extremely proud of my
+accomplishment.