Governance and Management of IT: CISA Tutorial
2.1 Governance and Management of IT
Hello and welcome to the second domain of Certified Information Systems Auditor (CISA) Course offered by Simplilearn. This domain covers the concepts of governance and management of IT. Let us look at the objectives of this course in the next screen. Slide 2: Objectives After completing this domain, you will be able to: discuss it governance, security management and control frameworks, define the best practices for governance of enterprise it, recall information security roles and responsibilities and discuss governance of enterprise it and management frameworks. You should also be in a position to list is strategy, policies, standards and procedures, describe the best practices for governance of enterprise it, define it governance focus areas, describe organizational structure, roles & responsibilities related to it. Finally you should be in a position to describe development and maintenance of it strategy and security. The following screen introduces the concept of corporate governance. Slide 3: Introduction to Corporate Governance Corporate is the system by which business corporations are directed and controlled. It is the set of responsibilities and practices used by organizations management to provide strategic direction, thereby ensuring goals are achievable; risks are properly addressed and; organizational resources are properly utilized. The main aim of corporate governance is to resolve the conflicting objective of exploiting available opportunities to increase stakeholder value while keeping the organizations operations within the limits of regulatory requirements and social obligations. Let us begin with the first section of this domain in the next screen.
2.2 Knowledge Statement 2.1
In this topic, we will learn about the concepts under the knowledge statement or KS 2.1 IT Governance, Security Management and Control Frameworks The key knowledge statement is that a CISA candidate must understand IT governance, management, security and control frameworks, and related standards, guidelines, and practices. Top management will provide assurance to stakeholders that IT deployment is aligned with business vision, mission, and objectives, by implementing an IT governance framework. A governance framework will comprise of; Strategic alignment, Value delivery, Risk management, Resource management and Performance measurement. IT Governance, Security Management and Control Frameworks (contd.) We will continue to learn about IT Governance, Security Management and Control Frameworks in this screen. Implementation of an IT governance framework will lead to: • An IT governance framework that enables stakeholders to be assured that IT strategy is wholly aligned to the business. • Mitigation of risks in the organization through critical controls • Control determination by the risk it addresses • Management utilizing frameworks such a COBIT, International Standards Organization (ISO) among others, to set up good IT Practices; monitor and improve them. • The IS auditor using such frameworks to benchmark the practices of a particular organization Let us focus on the main areas of coverage in the following screen. Main Areas of Coverage To cover this knowledge area, the CISA candidate should have a good grasp of: information security governance, IS organizational structure and responsibilities, IS roles and responsibilities, sourcing practices, policies, reviewing contractual commitments, governance of enterprise IT, and performance optimization. We will look at some of the best practices for government enterprise IT in the next screen Best Practices for Governance of Enterprise IT Governance of Enterprise IT Governance integrates and institutionalizes good practices to ensure that the enterprise's IT supports the business objectives. The factors that have led to the rise in the importance of governance of enterprise Information technology include: • Business managers and boards are now demanding a better return on investment • There is an increasing concern over high expenditure on IT • Management is increasingly under pressure to meet regulatory requirements for IT such as SOX, Basel II for banking institutions among others. • The selection of service providers is a key management decision especially when such a decision is being made with consideration to service outsourcing and acquisition. • Increasingly complex IT-related risks such as network security. Best Practices for Governance of Enterprise IT (contd.) Let us continue to learn about the best practices for Governance of Enterprise IT in this screen. • IT governance initiatives that include adoption of control frameworks and good practices to help monitor and improve critical IT activities to increase business value and reduce business risk • The need to optimize costs by following, where possible, standardized rather than specially developed approaches • The growing maturity and consequent acceptance of well-regarded frameworks • The need for enterprises to assess how they are performing against generally accepted standards and their peers also called benchmarking In the next screen, we will learn about information security governance. Information Security Governance Information security governance requires strategic direction and impetus within an enterprise. It requires commitment, resources, and assigning responsibility for information security management as well as means for the board to determine whether its intent has been met. The role of board of directors (BODs) (Pronounce as: b-o-deez) and or senior management in ensuring information security governance is implemented include ensuring effective information security governance is achieved only by involvement of the board of directors and or senior management in approving policy, appropriate monitoring and metrics as well as reporting and trend analysis. We will continue to learn about information security governance in the following screen. Information Security Governance (contd.) Members of the board need to be aware of the organization’s information assets and their criticality to ongoing business operations. This can be accomplished by periodically providing the board with the high-level results of comprehensive risk assessments and business impact analysis (BIA) (Pronounce as: b-i-a). In the next screen, we will learn about the roles and responsibilities of board of directors in information security governance. Roles and Responsibilities—BODs To ensure proper information security governance, the board members should approve the assessment of key assets to be protected, and that protection levels and priorities are appropriate to a standard of due care. The tone at the top must be conducive to effective security governance, it is unreasonable to expect lower-level personnel to abide by security measures if they are not exercised by senior management. Executive management endorsement of intrinsic security requirements provides the basis for ensuring that security expectations are met at all levels of the enterprise. Penalties for noncompliance must be defined, communicated, and enforced from the board level down. Let us look at an example of importance of information security in the following screen. Importance of Information Security Information security is about setting the right culture towards protection of information assets in an organization. It is difficult to convince employees to observe particular controls such as need to periodically change their passwords (even on their personal email) and the CEO insists on not changing his or her password Note that the requirement to change password after completing a given period is enforceable by the IS management, from the server side or backend. We will learn about the roles and responsibilities of the senior management in information security management in the next screen. Roles and Responsibilities—Senior Management The roles and responsibilities of senior management are as follows: The executive management in an organization has the key responsibility of implementing effective security management governance and defining the strategic security objectives of an organization. This focus and support must be carried in a continuous basis. The steering committee has the responsibility of focusing on all security aspects of an organization. The security committee should be representative of the respective groups or functions that are impacted by information security. This allows achieving of consensus and tradeoffs on matters of information security such as priorities, plans, risks, controls, etc. while allowing better communication. The Chief Information Security Officer (CISO) ensures that good information security practices are carried out within the organization, such as ensuring employees take care of their passwords. Let us learn about governance of enterprise IT and various management frameworks in the next screen. Governance of Enterprise IT and Management Frameworks Following are some of the frameworks and standards for the governance and management of Enterprise IT: COBIT 5 (Pronounce as: cobit-five) ISO/IEC 27001 (ISO 27001) (Pronounce as: I-S-O twenty seven thousand and One) ITIL® (Pronounce as: I-T-I-L) IT Baseline Protection Catalogs or IT-Grundschutz Catalogs (Pronounce as: GRAND –SHUTZ) Information Security Management Model (ISM3) ((Pronounce as: I-S-M-three) ISO/IEC 38500:2008 Corporate Governance of Information Technology ISO/IEC 20000 We will learn about each in detail in the forthcoming screens. Let us begin with COBIT 5, ISO/IEC 27001, and ITIL in the next screen. COBIT 5, ISO/IEC 27001, and ITIL COBIT 5 is the latest edition of the COBIT series by ISACA (Pronounce as: isaaca). COBIT stands for Control Objectives for Information and related Technology. COBIT is a good practise framework that supports IT governance and management in ensuring that IT is aligned with business so as to maximize the benefits. COBIT 5 is generic and useful for enterprises of all sizes, whether commercial, not for profit, or the public sector. ISO/IEC 27001 (Pronounce as: I-S-O/ I-E-C twenty seven thousand and One ________ ) also known as ISO 270001 (Pronounce as: ISO twenty seven thousand and one) provides guidance on implementing and maintaining information security programs. This standard was initially published as British Standard 7799 (Pronounce as: BS Seven thousand, seven hundred and ninety nine) or BS 7799. ITIL (Pronounce as: I-T-I-L) is a hands-on framework that provides a means of achieving operational service management of IT - Developed by the UK Office of Government Commerce (OGC) with IT Service Management Forum. We will learn about IT baseline protection catalogs and ISM3 (Pronounce as: I-S-M-Three) will continue to learn about governance of enterprise IT and various management frameworks in the next screen. IT Baseline Protection Catalogs and ISM3 IT Baseline Protection Catalogs or IT-Grundschutz (Pronounce as: GRAND –SHUTZ ) Catalogs is the collection of documents (over 3000 pages) useful for detecting and combating security weak points in the IT environment. This framework is a collection by the German Federal Office for Security in Information Technology (FSI). Information Security Management Model (ISM3) is a process-based ISM maturity model for information security. Let us proceed to discuss ISO/IEC 38500: 2008 (Pronounce as:I-S-O/I-E-C THIRTY EIGHT THOUSAND, FIVE HUNDRED, TWO THOUSAND AND EIGHT ) and ISO/IEC 20000 (Pronounce as: I-S-O/I-E-C TWENTY THOUSAND) in the following screen. Slide 18: ISO/IEC 38500:2008 and ISO/IEC 20000 ISO/IEC 38500:2008 (Pronounce as:I-S-O/I-E-C THIRTY EIGHT THOUSAND, FIVE HUNDRED, TWO THOUSAND AND EIGHT) is a corporate governance of information technology framework for effective governance of IT. It assists those at the highest organizational level to understand and fulfill their legal, regulatory, and ethical obligations with respect to their organizations’ use of IT. This framework provides guiding principles for effective, efficient and acceptable use of IT within their organizations. ISO/IEC 20000 is a specification for IT service management that is aligned with ITIL’s service management framework. You will now attempt a question to test what you have learned so far.
2.4 Knowledge Statement 2.2
In this topic, we will learn about the concepts under the knowledge statement or KS 2.2 IS Strategy, Standards, Procedures and Policies The key knowledge area is to understand the purpose of IT strategy, policies, standards and procedures for an organization and the essential elements of each. The key elements in this knowledge are to ensure IT governance is effective through a formal framework that consists of IT strategies, policies, standards and procedures should be consistent with business requirements. It is also important to ensure effective management and monitoring of IT as well ensure management has implemented effective’s controls over the decisions, direction and performance of IT. To have a proper understanding of this knowledge area, the CISA candidate should ensure they have a good grasp of governance of enterprise IT, best practices for governance of enterprise IT and information systems strategy. We will learn about information systems strategy in the next screen Information Systems Strategy An Information systems Strategy articulates the enterprise’s long-term intention to use Information System to improve its business processes based on the business requirements. When formulating the IS strategy, an enterprise must consider the following: • business objectives and the competitive environment; • current and future technologies and the costs, risks and benefits they can bring to the business; • the capability of the IT organisation and technology to deliver current and future levels of service to the business, and the extent of change and investment this might imply for the whole enterprise; • cost of current IT and whether this provides sufficient value to the business; and • the lessons learned from past failures and successes Let us look at some best practices for governance of enterprise IT in the next screen. Best Practices for Governance of Enterprise IT Governance of Enterprise IT (GEIT) (Pronounce as: G-E-I-T) implies a system in which all stakeholders, including the board, internal customers and departments such as finance, provide input into the decision-making process. GEIT has become significant due to a number of factors, such as: Business managers and boards demanding a better return from investments • Concerns over generally increasing level of IT expenditure • The need to meet regulatory requirements for IT controls in areas such as privacy and financial reporting • The selection of service providers and the management of service outsourcing and acquisitions • IT governance initiatives that include adoption of control frameworks and good practices to help monitor and improve critical IT activities to increase business value and reduce business risk We will continue to look at some best practices for governance of Enterprise IT in the following screen. Best Practices for Governance of Enterprise IT (contd.) • The need to optimize costs by following where possible, standardized rather than specially developed approaches • The growing maturity and consequent acceptance of well-regarded frameworks • The need for enterprises to assess how they are performing against generally accepted standards and their peers Governance process should focus on monitoring, evaluation, and direction of the conformance and performance, the system of internal controls and compliance with external requirements. We will look at IT governance focus areas in the screen. IT Governance Focus Areas The focus areas of IT governance are strategic alignment, value delivery, and risk management. Strategic alignment focuses on ensuring the linkage of business and IT plans by defining, maintaining and validating the IT value proposition, and aligning IT operations with enterprise operations. Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT. Risk management involves requirement of risk awareness by senior corporate officers, a clear understanding of the enterprise's appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organization. You will now attempt a question to test what you have learned so far.
2.6 Knowledge Statement 2.3
In this topic, we will learn about the concepts under the knowledge statement or KS 2.3 Organizational Structure, Roles and Responsibilities Related to IT The key knowledge area for a CISA candidate is to understand organizational structure, roles and responsibilities related to IT. Organizations must clearly define organizational structures which define responsibilities of major functions within an enterprise and how these structures ensure proper segregation of duties. Let us look at the main areas of coverage in the next screen. Main Areas of Coverage The key coverage areas for this knowledge area include; IT Governing Committees, Information Security Governance, Organizational Change Management, IS Roles and Responsibilities and IS Organizational Structures and Responsibilities Note that the CISA exam will not be testing specific job responsibilities as they may vary from one organization to another. However, the CISA candidate may be tested on the roles and responsibilities of business owners, information security and executive management functions as they are universal function. In addition, the CISA exam may test separation of duties which is also referred as segregation of duties. IS Roles and Responsibilities Let us look at information security Roles and responsibilities in this screen. Organizational Structure Charts provide a clear definition of the department’s hierarchy and authorities. On the other hand, job descriptions provide IS department employees a clear direction regarding their roles and responsibilities. The system development manager is responsible for programmers and analysts who implement new systems and maintain existing systems. In an enterprise, a project manager is responsible for planning and executing IS (Pronounce as: I-S) projects and may report to a project management office or to the development organization. Additionally, he or she may have to carry out a number of duties that include: • Utilizing budgets assigned for the delivery of IS initiatives • Reporting on project progress to the IS steering committee. • Executing the vision of the IT strategy and IT Steering committee by planning, coordinating and delivering IS projects to the enterprise. We will learn about IS roles and responsibilities in the next few screens. IS Roles and Responsibilities (contd.) Job Descriptions provide IS department employees a clear direction regarding their roles and responsibilities. A service desk also known as a help desk is a unit within an organization that responds to technical questions and problems faced by users. Such questions and answers can be delivered by telephone, fax, e-mail or instant messaging. At times service desk personnel may use third-party help desk software that enables them to quickly find answers to common questions. There should be a procedure to record the problems reported, solved and escalated should be in place for analysis of the problems or questions. Such a procedure will help in monitoring the user groups and improving the software/information processing facility (IPF) services. IS Roles and Responsibilities (contd.) There are various service desk activities which include; • Acquiring software (SW) and hardware (HW) • Training end users to use hardware and software • Informing the users of hardware or software problems • Initiating changes to improve efficiency • Determining the source of system problems IS Roles and Responsibilities (contd.) An End User is typically responsible for operations related to business application services. The term end user can be used to distinguish the person for whom the product system was designed, from the person who programs, services, or installs applications, such as: Financial Management Information system (FMIS), Customer Relationship Management (CRM), Enterprise Resource Management (ERP) To distinguish between a user and an end user, it is important to note that term user is broader and could refer to administrative accounts and accounts to access platforms such as an application account that accesses the database on behalf of an application, while an end user is a physical person that accesses systems. IS Roles and Responsibilities (contd.) An End User Support Manager is usually responsible as a liaison between the IS department and the end users. Data Manager is responsible for the data architecture in larger IT environments as well being tasked with managing data as a corporate asset. An information Security Management is a function that generally needs to be separate from the IS department and headed by a Corporate Information Security Officer (CISO). The CISO may report to the CIO or have a dotted-line (indirect reporting) relationship to the CIO. It is worth to note that even when the security officer reports to the CIO there is a possibility of conflict since the goals of the CIO are to efficiently provide continuous IT services whereas the CISO may be less interested in cost reduction if this impacts the quality of protection. IS Roles and Responsibilities (contd.) Quality Assurance Manager is responsible for negotiating and facilitating quality activities in all areas of information technology. Vendor and Outsourcer Management: There has been a general increase in outsourcing, including the use of multiple vendors such as those for software development, equipment maintenance, printing services, online payment services, infrastructure services, ISP, etc. A number of dedicated staff may be required to manage the vendors and outsourcers including performing the following functions: • Acting as the prime contact for the vendor and outsourcer within the IS function. • Providing direction to the outsourcer on issues and escalate internally within the organization and IS function. • Monitoring and reporting on the service levels to management. • Review changes to the contract due to new requirements and obtain IS approvals. IS Roles and Responsibilities (contd.) Infrastructure Operations and Management: An operations manager is responsible for computer operations personnel, including all the staff required to run the computer Information Processing Facility (IPF) efficiently and effectively. Such activities include computer operators, librarians, schedulers and data control personnel. The Information Processing Facility (IPF) includes the computer, peripherals, magnetic media and the data stored on the media. IPF constitutes a major asset investment and impacts the enterprise’s ability to function effectively. The computer room should be secured and only authorized personnel should have access. No one except operations personnel should have access to the IPF. IS Roles and Responsibilities (contd.) Media Management is required to record, issue, receive and safeguard all program and data files that are maintained on removable media. Data Entry is critical to the information processing activity. Data entry can include batch entry or online entry. The systems administrator is responsible for maintaining major multiuser computer systems, including local area networks, wireless local area networks, wide area networks, personal area networks, storage area networks, intranets and extranets, and mid-range and mainframe systems. IS Roles and Responsibilities (contd.) Security administration begins with management's commitment. Management must understand and evaluate security risks, and develop and enforce a written policy that clearly states the standards and procedures to be followed. The duties of the security administrator should be defined in the policy. To provide adequate segregation of duties, this individual should be a full-time employee who may report directly to the infrastructure director. IS Roles and Responsibilities (contd.) Quality assurance personnel usually perform two distinct tasks: Quality Control and Quality Assurance. Quality control (QC) is responsible for conducting tests or reviews to verify and ensure that software is free from defects and meets user expectations. This could be done at various stages of the development of an application system, but it must be done before the programs are moved into production. Quality assurance (QA) in itself helps the IS department to ensure that personnel are following prescribed quality processes. For example, QA will help to ensure that programs and documentation adhere to the standards and naming conventions. IS Roles and Responsibilities (contd.) Systems Analysts: They are the specialists who design systems based on the needs of the user and are usually involved during the initial phase of the system development life cycle (SDLC). Security architects: They evaluate security technologies; design security aspects of the network topology, access control, identity management and other security systems; and establish security policies and security requirements. One may argue that systems analysts perform the same role as that of the architect. IS Roles and Responsibilities (contd.) Applications Development and Maintenance: Applications staff are responsible for developing and maintaining applications. Infrastructure Development and Maintenance staff are responsible for maintaining the systems software, including the operating system. Network administrators are responsible for key components of this infrastructure (routers, switches, firewalls, network segmentation, performance management, remote access, etc.) So far we have learned about various roles and responsibilities of Information Security. Let us proceed to the next screen and discuss the segregation of duties or SOD (Pronounce as: s-o-d) matrix. Segregation of Duties (SoD) Matrix This table illustrates an example of segregation of duties matrix. The rows illustrate various IS duties while the same are replicated at each column. Where there is an “X” mark, it means the duties are incompatible to each other and therefore one individual should not perform this role. For example an individual with the role of a control group (CG) should not be a System Analyst (SA). A system analyst should also not perform the role of a quality assurance person. It is recommended to take a look at this matrix, as it is important for a CISA (Pronounce as: ceesaw) candidate. You will attempt a question to test your knowledge in the next screen.
2.8 Knowledge Statement 2.4
In this topic, we will learn about the concepts under the knowledge statement or KS 2.4 Development and Maintenance of IT strategy, Procedures, Standards and policies, The Key knowledge area here is to have a grasp of the processes for the development, implementation and maintenance of IT strategy, policies, standards and procedures. The key concepts here are to ensure that IT Strategies must be defined on business objectives and that IT Strategy should continue to address both emerging and developing business risks. The main areas of coverage include: strategic Planning, Information Security Governance and Information Security Management We will learn about strategic planning in the next screen. Strategic Planning Information Systems Strategic planning relates to the long-term path an enterprise wants to take in leveraging information technology for improving its business processes. Strategic planning should ensure that; the plans are aligned and consistent with organization goals and objectives and that the enterprise’s requirements for IT systems and the IT organization’s capacity to deliver new functionality through well-governed projects are considered The CISA candidate should understand and pay full attention to the importance of IT Strategic planning, taking management control practices into consideration. Let us look at information security governance in the next screen Information Security Governance Information Security Governance is focused on confidentiality, availability and integrity of information, continuity of services, and protection of information assets. The key outcomes of effective security governance should include strategic alignment, risk management compliance and value delivery. The outcomes are enabled through the development of three things. One is performance measurement which measures and monitors information security and report on it to ensure that SMART (Specific, Measurable, Achievable, Relevant and Time-bound) objectives are achieved. Two is resource management which ensures information security infrastructure and knowledge effectively and efficiently utilized and finally is process integration which ensure organization's management assurance processes are integrated within security so as to improve overall security and operational efficiencies. The next screen will focus on information security governance framework. Information Security Governance Framework The information security governance framework will generally consist of: A comprehensive security strategy intrinsically with business objectives and governing security policies that address each aspect of strategy, controls and regulation. Other factors are a complete set of standards for each policy to ensure that procedures and guidelines comply with policy, an effective security organizational structure void of conflicts of interest and institutionalized monitoring processes to ensure compliance and provide feedback on effectiveness. We will look at information security management in the next screen. Information Security Management Information Security Management provides the lead role to ensure that organization’s information and information processing resources under its control are properly protected Information Security Management is achieved through performance measurement which entails; Developing Business Impact Analysis, disaster Recovery Plan and business Continuity Plans The major component in establishing such a connection involves application of risk management principles to assess risks to IT assets, mitigate these risks to an acceptable level. You will attempt a question to test what you have learned so far.
2.10 Knowledge Statement 2.5
In this topic, we will learn about the concepts under the knowledge statement or KS 2.5 Organization’s technology direction and IT architecture The key knowledge area here is that of the organization’s technology direction and IT architecture and their implications for setting long-term strategic directions. This will include ensuring that enterprise Architecture links IT and business objectives and IT Assets should be properly managed to achieve service delivery objectives. The main areas of coverage here are enterprise Architecture and policies Let us learn about enterprise architecture in the next screen. Enterprise Architecture Enterprise Architecture (EA) involves documenting an organization’s IT assets in a structured manner to facilitate understanding, management, and planning for IT investments. The table on the screen illustrates Zachman Framework for Enterprise Architecture which can be used in documenting the information assets in an enterprise. It is recommended to take a look at this table for better understanding. Let us understand policies in the next screen. Policies Policies are high-level documents that represent the corporate philosophy of an organization and the strategic thinking of senior management and business process owners. Policies must be clear and concise to be effective. Policies may also apply to third parties and outsourcers, who will need to be bound to follow the policies through contracts or statements of work. Management should review all policies periodically and ensure they are updated to reflect new technology, changes in environment (e.g. regulatory compliance requirements). Let us learn about information security policy in the following screen. Information Security Policy An Information Security Policy communicates a coherent security standard to users, management, and technical staff. Security policy must balance the level of control with the level of productivity. The information system auditor should understand that policies are a part of the audit process and therefore test the policies for compliance. You will attempt a question to test your knowledge in the next screen.
2.12 Knowledge Statement 2.6
Laws, Regulations, and Industry Standards The CISA candidate should have knowledge of relevant laws, regulations and industry standards affecting the organization. The complexity of IT and global connectivity has led to the enation of new regulatory requirements. There are a number of globally recognized compliance requirements that include protection of privacy and confidentiality of personal data, Intellectual Property rights and reliability of financial information. Let us look at the main areas of coverage in the next screen. Main Areas of Coverage For this knowledge statement, the main areas of coverage include: auditing IT Governance Structure and Implementation, sourcing practices, segregation of duties within IS and segregation of duties Control. Other important areas include; reviewing Documentation as well as reviewing Contractual Commitments The CISA candidate should note that, in the CISA Exam the Auditor must be aware of these globally recognized concepts; however, knowledge of specific legislation and regulations will not be tested. Let us understand reviewing documentation in the next screen Reviewing Documentation There are various documents that the IS auditor should review in the course of their audits, these include: • IT strategies, plans and budgets • Security policy documentation • Organizational or functional charts • Job descriptions • Steering committee reports • System development and program change procedures • Operations procedures • Human Resource manuals • Quality Assurance manuals When reviewing these documents the key things to note is that they were created as management authorized and intended and that they are currently and up to date. You will attempt a question to test your knowledge in the next screen.
2.14 Knowledge Statement 2.7
In this topic, we will learn about the concepts under the knowledge statement or KS 2.7 Quality Management Systems The key knowledge area for the information system’s auditor is to understand quality management systems. The key areas here are to ensure effectiveness of IT Governance efforts is dependent on the quality management strategies and policies in the IT Governance Framework, IT Strategies, policies and procedures and standards should be improved over time and that they should meet the needs and requirements of the organisation as well as ensuring quality management strategies measure and monitor the quality of those IT policies and procedures based on a variety of standard frameworks. Let us look at the main areas of coverage in the next screen. Main Areas of Coverage The main areas of coverage are maturity and process improvement models, quality Management and performance optimization Note that while the IS auditor should be aware of quality management, the CISA exam does not test specifics on any ISO standards. Let us look at quality management in the next screen. Quality Management Quality management is the process by which the Information systems department’ processes are controlled, measured and improved. The areas of control for quality management may include the following: • Software development, maintenance and implementation • Acquisition of hardware and software • Day-to-day operations • Service management • Security • HR Management and • General Administration A good example of quality management is ISO 9001:2008. You will attempt a question to test your knowledge in the next screen. Let us proceed to the next topic of this domain in the next screen.
2.16 Knowledge Statement 2.8
In this topic, we will learn about the concepts under the knowledge statement or KS 2.8 Use of Maturity Models The CISA candidate should have good knowledge of the use of maturity models. Maturity and process improvement models help enterprises evaluate the current state of internal controls in comparison to the desired state. In evaluating internal controls illustrates to senior management the effectiveness, compliance and relevance of IT procedures, tools and processes in support of alignment with business needs. Let us look at the main areas of coverage in the following screen. Main Areas of Coverage The main areas of coverage include maturity and Process Improvement Models, Sourcing Practices and quality management. The CISA candidate must note that the IS auditor should be aware of quality management. However, the CISA exam does not test specifics on any ISO standards. Let us learn about maturity and process improvement models in the next screen. Maturity and Process Improvement Models Some of the important maturity and process improvement models are described here. IDEAL Model guides enterprise in planning and implementing an effective software process improvement program. Capability Maturity Model Integration (CMMI) provides enterprise with the essential elements of effective processes. Personal Software Process is a methodology that helps enterprises manage quality, improve estimating and planning, and reduce defects in their products. We will continue to see some maturity and process improvement models in the next screen. Maturity and Process Improvement Models (contd.) Team Software Process guides team and management in establishing goals, defining team roles, assess risks, and produce a comprehensive project plan. COBIT (Pronounce as: cobit) Process Assessment Model (PAM) (Pronounce as: p-a-m) is developed using COBIT 5 and is developed to improve the rigor and reliability of Information Technology process reviews. You will attempt a question to test your knowledge in the next screen.
2.18 Knowledge Statement 2.9
In this topic, we will learn about the concepts under the knowledge statement or KS 2.9 Process Optimization Techniques The CISA candidate should have Knowledge of process optimization techniques. Optimization techniques evaluating current state versus the desired state and identifying activities to migrate to the desired state, thereby eliminating unnecessary activities thus increase efficiency. The main area of coverage here is performance optimization. We will look at performance optimization in the next screen. Performance Optimization Performance optimization refers to the process of improving the productivity of information systems to the highest level possible without unnecessary, additional investment in the IT infrastructure. Performance optimization is driven by performance indicators (KPIs) (Pronounce as: k-p-eyes) based on business operations or processes, strategic IT solutions, and corporate strategic objectives. There are broad phases of performance measurement that include: • establishing and updating performance measures; • establishing accountability for performance measures; • gathering and analyzing performance measures; and • reporting and using performance information. Let us look at performance optimization methodologies and tools in the following screen. Performance Optimization—Methodologies and Tools The methodologies and tools used for performance optimization include • Continuous improvement methodologies such as Plan, Do, Check, Act (PDCA) • Comprehensive best practices such as ITIL (Pronounce as: i-t-i-l) • Frameworks such as COBIT 5 • IT balance scorecard (BSC) • Six Sigma You will attempt a question to test your knowledge in the next screen.
2.20 Knowledge Statement 2.10
In this topic, we will learn about the concepts under the knowledge statement or KS 2.10 IT Resource Investment and Allocation Practices The CISA candidate should have knowledge of IT resource investment and allocation practices, including prioritization criteria for example portfolio management, value management and project management. Key considerations when making IT resource allocation and investment include: IT resources should deployed to ensure service delivery and value IT resource investment and allocation practices are essential to justify the investment of IT resources to senior management IT initiatives should be evaluated using techniques such as: cost/benefit analysis and planned and forecasted resource consumption. This ensures that IT initiatives meet the needs of the organization Let us look at the main areas of coverage in the following screen. Main Areas of Coverage The two main areas of coverage include IT Investment and Allocation Practices and Financial Management Practices We will learn in detail about IT investment and allocation practices in the next screen IT Investment and Allocation Practices Enterprise face limited resources in terms of people and money that can be used to allocate to IT investments. IT investments can provide financial benefits such as cost reduction and non-financial benefits such as improved customer satisfaction. Information Technology value is determined by the relationship between what the organization will pay and what it will receive. Key governance practices to increase the value of IT include: • Evaluate value optimization • Direct value optimization • Monitor value optimization Let us learn about implementing IT Portfolio Management in the next screen. Implementing IT Portfolio Management Implementing IT Portfolio Management methods include: • risk profile analysis; • diversification of projects, • infrastructure and technologies; • continuous alignment with business goals; and • Continuous improvement. In the next screen, we will look at the financial management practices. Financial Management Practices Financial management is a critical element of all business function, in situation where user-pays scheme – a form of chargeback, can improve application monitoring of IS expenses and available resources. IS budget allows for forecasting, monitoring and analyzing financial information. The budget allows for an adequate allocation of funds, especially in an IS environment where expenses can be cost-intensive. The budget should be linked to short and long range IT plans. Let us continue to look at the financial management practices in the next screen. Financial Management Practices (contd.) Points to note in a software development, an IS auditor should know how an enterprise tracks costs used in software development. This will include understanding the requirements of treating costs related to software development that is developed for internal use or one that is used for sale. You will attempt a question to test your knowledge in the next screen.
2.22 Knowledge Statement 2.11
In this topic, we will learn about the concepts under the knowledge statement or KS 2.11 IT Supplier Selection, Contract and Relationship Management, Performance Monitoring The CISA candidate should have knowledge of IT supplier selection, contract management, relationship management and performance monitoring processes including third-party outsourcing relationships. With the increasing trend of outsourcing IT infrastructure to third-party service providers, it is vital to know the latest trends in contracting strategies, processes and contract management practices. On the other hand, outsourcing may also introduce risks. The main area of coverage are reviewing Contractual Commitments, sourcing Practices and IS Roles and Responsibilities. We will learn how to review contractual commitments in the next screen. Reviewing Contractual Commitments The IS Auditor should be familiar with the Request for Proposal (RFP) process and know what needs to be reviewed in an RFP. In reviewing contractual commitments, the issues that should be addressed will cover the following: • Service levels • Right to audit or third party audit reporting • Software escrow • Penalties for non-compliance • Adherence to security policies and procedures • Protection of customer information • Contract change processes • Contract termination and any associated penalties Let us learn about software contracts in the next screen. Software Contracts The software contracts that might be reviewed by an IS auditor include: • Development of contract requirements and service levels • Contract bidding process • Contract acceptance • Contract maintenance • Contract compliance You will attempt a question to test your knowledge in the next screen.
2.24 Knowledge Statement 2.12
In this topic, we will learn about the concepts under the knowledge statement or KS 2.12 Enterprise Risk Management The CISA candidate should gain knowledge of enterprise risk management. An Effective IT Governance requires keen oversight of the enterprise’s IT-related risks. Risk management tools and techniques is vital to assessing and mitigating the organization’s IT-related risks. The main areas of coverage include; risk Management, developing a Risk Management Program, risk Management Process and risk Analysis Methods We will look at developing a risk management program in the next screen. Developing a Risk Management Program In developing a risk management program, an organization must evaluate effectiveness of the program and assign responsibility for the plan which include identifying risks and implementing control strategies. The three purposes of Risk Management include reducing the cost of insurance, reducing the number of program-related injuries and maximizing returns. Let us proceed to the next screen to learn about methods to treat the risks. Risk Treatment Methods There are four methods of treating risks. The first one is avoidance, where the risk is eliminated by reducing what causes it. The risk can also be mitigated by reducing it probability of occurrence. This would be done by defining, implementing and monitoring appropriate controls. The risk can also be transferred, deflected or allocated to other partners through insurance. Lastly risk can also be accepted by acknowledging its existence and continuously monitoring it. Let us look at the steps involved in risk management process in the next screen. Risk Management Process There are five steps in the risk management process. The first is to identify and classify information resources or assets, the second is to assess threats and vulnerabilities associated with the resources or assets identified. Thirdly the auditor will need to obtain an overall view of risk by assessing the impact for each threat, fourth implies evaluating countermeasures. Lastly the process is to assess any residual risks: We will look at risk analysis methods in the next screen. Risk Analysis Methods Risk can be analyzed either qualitatively using words or description or quantitatively using numeric values. Risk can also be analyzed through theories of probability and expectancy. The advantages of qualitative methods are that it is the simplest to use and is based on checklists and subjective risk ratings. On the other hand the advantages of Quantitative methods are that it relies on subjectivity in estimating the probability of risks and that it provides more objective and traceable assumptions. You will attempt a question to test your knowledge in the next screen.
2.26 Knowledge Statement 2.13
In this section, we will learn about the concepts under the knowledge statement or KS 2.13 Practices for Monitoring and Reporting of IT Performance The key knowledge area here is the practices for monitoring and reporting of IT performance e.g., balanced scorecards, key performance indicators [KPIs] (Pronounce as: k-p-eyes)). IT Governance progress must be measured and monitored using effective tools such as balanced scorecards (BSCs), key performance indicators (KPIs). The results provide a clear indication of the capabilities of the organization to meet its objectives. It also helps to shape the IT Strategy over the long-term. The main areas of coverage areas are IT Balanced Scorecard and performance Optimization. Let us look at IT balanced scorecard in the next screen. IT Balanced Scorecard The IT balanced scorecard (BSC) is a process management evaluation technique that can be applied to the IT governance process in assessing IT functions and processes. A balanced scorecard measures: financial performance; customer or user satisfaction; internal or operational processes and the ability to learn and innovate. We will continue to discuss IT balanced scorecard in the next screen. IT Balanced Scorecard (contd.) The scorecard aims to: facilitate management reporting to the Board and foster consensus among key stakeholders about its strategic aims. It further aims to demonstrate its effectiveness and added value; and communicate IT performance, risks, and capabilities. The images in the next two screens illustrate examples of how IT balanced scorecards can be implemented. IT Balanced Scorecard (contd.) This diagram illustrates how IT balance score card takes into perspective financial, customer, learning and growth and internal business processes in management reporting. Each of these processes should have objectives, measures, targets and initiatives to ensure accurate information can be supplied to management. IT Balanced Scorecard—Example (contd.) This diagram illustrates different measures for the IT balance score card. In this diagram, financially IT can be measured by delivery of IT value per employee, but on customers it measured on satisfaction of existing customers. On the other hand while considering learning, staff productivity and morale becomes a key measure while on processes, availability of systems and services becomes a critical measure. You will attempt a question to test your knowledge in the next screen.
2.28 Knowledge Statement 2.14
In this topic, we will learn about the concepts under the knowledge statement or KS 2.14 IT Management of Human Resources The CISA candidate should have knowledge of IT human resources (personnel) management practices used to invoke the business continuity plan. Automated business processes have created challenges in HR Management and in addressing control gaps which are created when job roles are combined. Performance evaluation, compensation plans and succession planning are important in understanding of HR issues and assignment of responsibilities as they relate to the development of execution plans. Let us look at the main areas of coverage in the next screen. Main Areas of Coverage The main areas of coverage are human Resource Management, organizational Change Management, development of Business Continuity Plans, other Issues in Plan Development, evaluation of Security at Offsite Facility and organization and Assignment of Responsibilities. Let us look at organizational change management in the following screen. Organizational Change Management Organizational change management involves use of a defined and documented process to identify and apply technology improvements. • The IS department is the focal point for such changes by leading or facilitating change in the organization. • Once senior management support is obtained to move forward with the changes or projects, the IS department can begin working witheach functional area and their management to obtain support for the changes. • User feedback should be obtained throughout the project, including validation of the business requirements and training on and testing of the new or changed functionality. Let us look at development of Business Continuity Plan in the following screen. Development of Business Continuity Plans and Consideration of Other issues The various factors that should be considered when developing business continuity plans are: • Pre-disaster readiness covering incident response management to address all relevant incidents affecting business processes • Procedures for declaring a disaster • Circumstances under which a disaster should be declared • Identification of persons responsible for the plan • The step by step explanation of the recovery process Let us look at evaluation of security at Offsite facility in the following screen. Evaluation of Security at Offsite Facility The security of offsite facility should be evaluated to ensure that it has proper physical and environmental access controls. These include • Limit users access • Use of raised floors, humidity controls and temperature controls • Use of uninterruptible power supply, smoke detectors and fire extinguishers • Equipment should be calibrated frequently. You will attempt a question to test your knowledge in the next screen.
2.30 Knowledge Statement 2.15
In this topic, we will learn about the concepts under the knowledge statement or KS 2.15 We will begin this topic with business impact analysis related to business continuity planning in the following screen. Business Impact Analysis related to Business Continuity Planning The IS auditor should have knowledge of business impact analysis (BIA) (Pronounce as: b-i-a) related to business continuity planning (BCP). The IS Auditor should determine whether BIA and BCP are suitably aligned. To be effective and efficient, BCP should be based on a well-documented BIA. BIA drives the focus of the BCP or disaster recovery (DRP) process efforts of the organisation and helps in balancing costs to be incurred with the corresponding benefits to the organisation. The main coverage area is Business Impact Analysis, which will be explained in the following screen. Let us discuss business impact analysis in the following screen. Business Impact Analysis Business Impact Analysis is a component of a Business Continuity Plan (BCP) and helps in identifying events that could impact continuity of operations and assessing the impact of these events. A Business Impact Analysis will help an organization to gain an understanding of priorities and time requirements for the recovery of business functions and gather information regarding the organization’s current recovery capabilities. In the next screen, let us learn about activities and approvals involved in carrying out BIA along with its approaches. Business Impact Analysis—Activities, Approval, and Approaches In carrying out a business impact analysis the activities involved include understanding the organization, knowledge of key business processes and the roles involved. The auditor should also be in a position to enumerate IT personnel, end user, and senior management for approval. A BIA can be implemented through questionnaires, interviews, or brainstorming sessions. Let us discuss the points to be considered before analyzing BIA in the following screen. Business Impact Analysis—Points to Consider Before analyzing the business impact analysis, it is important to know what are the organization’s business processes? What is the critical information resources related to the critical business processes? And what is the critical recovery time period for information resources in which business processing must be resumed before significant or unacceptable losses are suffered? Let us understand recovery time objective (RTO) and recovery point objective (RPO) of BIA in the next screen. Business Impact Analysis—RTO and RPO Recovery Time Objective (RTO) is the acceptable or allowable downtime in case of a disruption to operations (determines processes and technology used for backup and recovery e.g. data tapes or disk). On the other hand, recovery Point Objective (RPO) is the acceptable/allowable data loss in case of a disruption to operations (determines frequency of backup). In the next screen, let us understand the cost of disruption versus that of recovery. Disruption cost Vs. Recovery costs This diagram shown on the screen illustrates the relationship between disruption costs and recovery costs. The two should be balanced to attain an optimal level of protection of key information assets, that is, to obtain an optimal recovery point objective and recovery time objective. Let us continue to discuss disruption versus recovery costs in the following screen. Disruption cost Vs. Recovery costs (contd.) If the business continuity strategy aims at a longer recovery time, it will be less expensive than a more stringent requirement, but may be more susceptible to downtime costs spiraling out of control. The downtime cost of the disaster in the short run (e.g., hours, days, weeks), grows quickly with time, where the impact of a disruption increases the longer it lasts. At a certain moment, it stops growing, reflecting the moment or point when the business can no longer function. We will continue to discuss disruption versus recovery costs in the following screen. Disruption cost Vs. Recovery costs (contd.) The cost of downtime increasing with time. It has many components (depending on the industry and the specific company and circumstances). These components are cost of idle resources (e.g., in production), drop in sales (e.g., orders), financial costs (e.g., not invoicing nor collecting), Delays (e.g., procurement) and indirect costs (e.g., loss of market share, image and goodwill). You will attempt a question to test what you have learned so far.
2.32 Knowledge Statement 2.16
In this topic, we will learn about the concepts under the knowledge statement or KS 2.16 (Pronounce as: two point one six). Let us begin with the description of KS 2.16 in the following screen. Let us take a detailed look at Business Continuity Plan in the following screen. Business Continuity Plan (BCP) The CISA candidate should have knowledge of the standards and procedures for the development and maintenance of the business continuity plan (BCP) and testing methods. The IS Auditor needs to understand the life cycle of BCP and DRP plan development and maintenance and the types of BCP tests, factors to consider when choosing the appropriate test scope, methods for observing recovery tests and analyzing test results. Let us look at the main areas of coverage in the next screen. Main Areas of Coverage The main areas of coverage are: IS Business Continuity Planning, business Continuity Planning Process, Business Continuity Policy, Business Continuity Planning Incident Management and development of Business Continuity Plans. Other areas that are covered by this knowledge area are other Issues in Plan Development, components of a Business Continuity Plan and plan Testing. Let us look at the components of an effective BCP in the next screen. Components of an Effective BCP The components of a Business Continuity Plan depend on organization size and requirements. Components may include: Business resumption plan, Continuity of operations plan, Continuity of support plan and crisis communication plan. Other components are incidence response plan, disaster recovery plan and occupant emergency plan. There are components that require to be agreed on when developing a business continuity plan. Let us learn about them in the following screen. Components to be agreed upon The components to be agreed upon include governing policies, goals / requirements / product, alternative facilities, critical IS resources to deploy and data and systems. Other areas to be agreed upon are, staff required / responsible for recovery tasks, key decision making personnel, resources to support deployment, backup of required supplies, other personnel and schedule of prioritized activities Let us understand how to test a business continuity plan in the next screen. Business Continuity Plan Testing BCP Testing Involves; testing the developed plans help determine if they work and identify areas that need improvement, specifications such as objective and scope of the test, test execution and pretest. Other steps are actually testing of the plan by carrying out a post-test analysis, carrying out paper test, preparedness test, full operational test, and documentation of tests. The documentation will include observations, problems, resolutions to facilitate actual recovery in a real disaster as well as analysis of the test against specifications set in time, amount, count, and accuracy. We will look at test execution of a business continuity plan in the next screen. Business Continuity Plan Test Execution BCP test can be executed by conducting pre-test, actual test, and post-test. In the pre-test stage, the actions to be carried out ranges from placing tables in the proper operations recovery area to transporting and installing backup telephone equipment. The actual test of the business continuity includes checking that operational activities are executed to test the specific objectives of the BCP. Actual operational activities are executed to test the specific objectives of the BCP. This is the actual test of preparedness to respond to an emergency. We will proceed to the next screen to understand the post-test stage of BCP. Business Continuity Plan—Post-Test In the post test stage, will include the cleanup of group activities, such as ensuring all resources are in their previous state. The post-test stage also includes formally evaluating the plan and implementing indicated improvements. In the next screen, which will look at the types of the business continuity plan tests. Types of Tests There are three types of business continuity tests. The first is desk-based evaluation or paper test which is a walk-through of the plan, involving key players in the plan's implementation who reason out what might happen in a specific type of service outage. They may walk through the entire plan or just a portion. The paper test is carried out before the preparedness test, which is the second test. The preparedness test is usually a limited form of the full test, whereby actual resources are used in the replication of a system outage. This is performed frequently on diverse elements of the plan and may be a cost-effective testing a DRP. It enables incremental improvements on the plan. The last type of test is the full operational test, which is one step away from an actual service disruption. The organization should have tested the plan well on paper and locally before endeavoring to completely shut down operations. For purposes of the BCP testing, this is the disaster. You will attempt a question to test what you have learned so far.
2.34 Domain Two Exam Quick Pointers
1. A bottom-up approach to the development of organizational policies if often driven by risk assessment 2. An IS Auditor’s primary responsibility is to advice senior management of the risk involved in not implementing proper segregation of duties, such as having the system analyst or programmer do system administration 3. Data and systems owners are accountable for maintaining appropriate security measures over information asset. 4. Business unit management is responsible for implementing cost effective controls in an automated system. Domain 2 Exam Quick Pointers (contd.) 5. Proper segregation of duties prohibits a system analyst from performing quality assurance functions (it is difficult for us to poke holes in our own work) 6. The primary reason an IS Auditor reviews an organization chart is to better understand the responsibilities and authority of individuals 7. If an IS auditor observes that project-approval procedures do not exist, the IS auditor should recommend to management that formal approval procedures be adopted and documented. 8. Ensuring that security and control policies support business and IT Objectives is a primary objective of an IT security polices audit 9. The board of directors is ultimately accountable for developing an IS security policy. Domain 2 Exam Quick Pointers (contd.) 10. When auditing third-party service providers, an auditor should be concerned with ownership of program and files, a statement of due care and confidentiality, and the capability for continued service of the service provider in the occurrence of a disaster 11. Proper segregation of duties (SoD) normally prohibits a LAN administrator from having programming responsibilities 12. When performing an IS Strategy audit, an IS Auditor should review both short term (one year) and long-term (three-to five-year) IS Strategies, interview corporate management personnel and ensure that external environment has been considered. The auditor should not focus on procedures in an audit of IS Strategy. Domain 2 Exam Quick Pointers (contd.) 13. Management personnel and ensure that external environment has been considered. The auditor should not focus on procedures in an audit of IS Strategy. 14. Business Impact Analysis (BIA) is an exercise that allow an organization to understand the cost of interruption and identify which applications and processes are most critical to the continued functioning of the organization.(done by setting RPOs and RTOs) 15. Recovery Time Objective (RTO) is acceptable or allowable downtime in case of a disruption to operations (determines processes and technology used for backup and recovery e.g. data tapes or disk) 16. Recovery Point Objective (RPO) is the acceptable or allowable data loss in case of a disruption to operations (determines frequency of backup) Domain 2 Exam Quick Pointers (contd.) 17. Above all else, an IS strategy must support the business objectives of the organization 18. IS assessment methods enable IS management to determine whether the activities of the organization differ from the planned or expected levels. 19. Batch control reconciliations is a compensatory control of mitigating inadequate Segregation of duties. 20. An audit of the client‘s business plan should be reviewed before the organization’s IT strategic plan review 21. Allowing the programmers to directly patch or change code in production programs increases the risk of fraud.
2.35 Summary and Conclusion
Let us summarize what we have learned in this domain. • An objective of corporate governance is to resolve the conflicting objectives of exploiting available opportunities to increase stakeholder value while keeping the organization’s operations within the limits • IT governance is the responsibility of the board of directors and executive management, • Governance of enterprise IT is a governance view that ensures that information and related technology support and enable the enterprise strategy and the achievement of enterprise objectives; • An IT strategy committee monitors IT value, risks and performance and provides information to the board to support decision making on IT strategies. Summary • IT governance encompasses minimizing IT risks to the organization • Risks are measured using a qualitative analysis (defining risks in terms of high/medium/low); semiqualitative analysis (defining risks according to a numeric scale) or quantitative analysis (applying several values to risk, including financial, and calculating the risk’s probability and impact). outweigh the costs. • The purpose of segregation (or separation) of duties is to prevent fraud and error by splitting tasks and authority to accomplish a process among multiple employees or managers. Conclusion Slide This concludes the domain on Governance and Management of IT. The next domain will focus on information system acquisition, development and maintenance
About the On-Demand Webinar
About the Webinar