Abilities

  • A0056: Ability to ensure security practices are followed throughout the acquisition process.

Knowledge

  • K0001: Knowledge of computer networking concepts and protocols, and network security methodologies. 
  • K0002: Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). 
  • K0003: Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy. 
  • K0004: Knowledge of cybersecurity and privacy principles. 
  • K0005: Knowledge of cyber threats and vulnerabilities. 
  • K0006: Knowledge of specific operational impacts of cybersecurity lapses. 
  • K0043: Knowledge of industry-standard and organizationally accepted analysis principles and methods. 
  • K0047: Knowledge of information technology (IT) architectural concepts and frameworks.
  • K0048: Knowledge of Risk Management Framework (RMF) requirements. 
  • K0072: Knowledge of resource management principles and techniques.
  • K0090: Knowledge of system life cycle management principles, including software security and usability.
  • K0120: Knowledge of how information needs and collection requirements are translated, tracked, and prioritized across the extended enterprise.
  • K0126: Knowledge of Supply Chain Risk Management Practices (NIST SP 800-161) 
  • K0148: Knowledge of import/export control regulations and responsible agencies for the purposes of reducing supply chain risk.
  • K0154: Knowledge of supply chain risk management standards, processes, and practices.
  • K0165: Knowledge of risk threat assessment.
  • K0169: Knowledge of information technology (IT) supply chain security and supply chain risk management policies, requirements, and procedures. 
  • K0198: Knowledge of organizational process improvement concepts and process maturity models (e.g., Capability Maturity Model Integration (CMMI) for Development, CMMI for Services, and CMMI for Acquisitions). 
  • K0200: Knowledge of service management concepts for networks and related standards (e.g., Information Technology Infrastructure Library, current version [ITIL]).
  • K0235: Knowledge of how to leverage research and development centers, think tanks, academic research, and industry systems. 
  • K0257: Knowledge of information technology (IT) acquisition/procurement requirements.
  • K0270: Knowledge of the acquisition/procurement life cycle process. 

Skills

  • S0038: Skill in identifying measures or indicators of system performance and the actions needed to improve or correct performance, relative to the goals of the system.
  • S0085: Skill in conducting audits or reviews of technical systems.
  • S0372: Skill to translate, track, and prioritize information needs and intelligence collection requirements across the extended enterprise. 

Tasks

  • T0072: Develop methods to monitor and measure risk, compliance, and assurance efforts.
  • T0207: Provide ongoing optimization and problem-solving support.
  • T0208: Provide recommendations for possible improvements and upgrades.
  • T0223: Review or conduct audits of information technology (IT) programs and projects.
  • T0256: Evaluate the effectiveness of procurement function in addressing information security requirements and supply chain risks through procurement activities and recommend improvements.
  • T0389: Review service performance reports identifying any significant issues and variances, initiating, where necessary, corrective actions and ensuring that all outstanding issues are followed up.
  • T0412: Conduct import/export reviews for acquiring systems and software.
  • T0415: Ensure that supply chain, system, network, performance, and cybersecurity requirements are included in contract language and delivered.

Capability Indicators

Capability Indicators for IT Program Auditor
Category Entry Intermediate Advanced
Credentials/Certifications
  • Recommended: N/A
  • Example Types: N/A
  • Example Topics: N/A
  • Recommended: Yes
  • Example Types: N/A
  • Example Topics: Certifications that address system security, network infrastructure, access control, cryptography, assessments and audits, and organizational security
  • Recommended: Yes
  • Example Topics: Certifications that address security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations, software development security, information security governance, information risk management
Continuous Learning
  • Recommended: N/A
  • Examples: N/A
  • Recommended: Yes
  • Examples: 40 hours annually (may include mentoring, shadowing, conferences, webinars, or rotations)
  • Recommended: Yes
  • Examples: 40 hours annually (may include mentoring, shadowing, conferences, webinars, or rotations)
Education
  • Recommended: No (not an Entry-level Work Role)
  • Example Types: N/A
  • Example Topics: N/A
  • Recommended: Yes
  • Example Types: Bachelor's (certifications systems administration, risk analysis, governance, security risk management, controls, audit management, information security core concepts [access control, social engineering, phishing attacks, and identity theft], strategic planning, finance, and vendor management may substitute education)
  • Example Topics: Computer science, cybersecurity, information technology, software engineering, information systems, computer engineering
  • Recommended: Yes
  • Example Types: Bachelor's (certifications addressing advanced systems management, systems administration, system certification, risk analysis, building a business case beyond ROI, principles of leadership and how the CIO uses them to strengthen the IT alignment process, and corporate political communications and corporate political capital may substitute education)
  • Example Topics: Computer science, cybersecurity, information technology, software engineering, information systems, computer engineering
Experiential Learning
  • Recommended: N/A
  • Examples: N/A
  • Recommended: Yes
  • Examples: Prior information assurance experience
  • Recommended: Yes
  • Examples: Prior information assurance experience
Training
  • Recommended: N/A
  • Example Types: N/A
  • Example Topics: N/A
  • Recommended: Yes
  • Example Types: N/A
  • Example Topics: Network security vulnerability, internal auditing, audit planning, information systems, Sarbanes-Oxley (SOX), accounting, risk assessment, project management, business process, new controls for product and service integrity, and control objectives for information and related technologies (COBIT)
  • Recommended: Yes
  • Example Types: N/A
  • Example Topics: Information system security, internal auditing, audit planning, information systems, SOX, accounting, risk assessment, project management, business process, new controls for product and service integrity, and COBIT