Cisa WB02

Certified Information Systems Auditor (CISA)
Module 2 - Governance and Management of IT

Slide 1
Module 2
Governance and Management of IT
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 2
Lesson 1: Corporate Governance

 Corporate governance should promote ethical issues and decision-
making practices within an organization
 Corporate governance can be defined “the system by which business
corporations are directed and controlled”
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 3
Corporate Governance
 Therefore, corporate governance could be thought of as:
 Set of responsibilities and practices to:
 Provide strategic direction
 Ensuring that goals are achievable
 Risks are properly addressed
 Organizational resources are properly utilized
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 4
Corporate Governance Continued

 The framework of corporate governance should:
 Be established to manage reports on risks
 Require that there is an internal control system that monitors risks
 Especially when looking at new ways to improve business
 Be a platform for the protection of stakeholders by dividing responsibilities to the

Board of Directors
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 5
Corporate Governance Continued

 Corporate governance can help strike a balance between the objectives
of exporting available opportunities to increase business value while
also keeping within the limits of regulatory requirements
 This framework has been expanding into different countries where the
goal is to reduce inaccurate financial reporting while giving greater
transparency accountability
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 6
Lesson 2: IT Governance
 IT governance is a part of the overall corporate governance that should
address how IT is applied inside the organization
 This becomes even more true as organizations are beginning to rely more heavily on
IT
 One of the keys to IT governance is to align business and IT the method to increase
the value of business
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 7
IT Governance
 IT governance will focus on delivering secure and reliable information,
especially the information that is critical to the success of the
organization
 The other benefit of IT governance is that the delivery of this information achieves
the successes of being more economical, efficient, and effective
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 8
IT Governance Continued
 There are two major issues that IT governance focuses on
 These two issues are designed to ensure that IT delivers value to the business and
that it’s risks are managed
 First is driven by strategic alignment of IT with the business
 Second is driven by embedding accountability into the enterprise
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 9
Lesson 3: IT Monitoring and Assurance

Practices for Board and Senior Management
 It is important that all stakeholders, which would include the board and
senior management provide input into the decision-making process
about IT governance
 IT governance is not just good management practices and a framework
of IT controls, but it is a management system that is about stewardship
of the IT resources on behalf of the stakeholders
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 10
IT Monitoring and Assurance Practices for

Board and Senior Management
 IT governance is really in the hands of the Board of Directors and
executive management
 Although risk management and compliance monitoring our components it should be
noted that governance should be focused on delivering value and measuring
performance
 IT governance can be thought of as the shared management
 This prevents an IT department for making independent decisions and then later be
held responsible for poor decisions
 This also means the different departments cannot solely be critical against the IT
department for poor performance
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 11

Board and Senior Management Continued
 IT governance that is designed to ensure that the
IT performance meets the objectives of aligning
IT with the organization’s objectives
 IT should enable an enterprise to exploit new
opportunities and maximize benefits
 IT governance’s framework should be aligned
with accepted best practices
 The framework should be made up of a variety of
structures, processes and relational mechanisms
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 12

Board and Senior Management Continued
 The broad processes of the IT governance
framework are:
 IT resource management which focuses on the
inventory of the resources as well as the risks
involved with those resources
 A performance measurement to make sure that the
IT resources are performing as expected, as well as,
delivering a benefit to the organization
 Compliance management in regards to implement
processes that meet all regulatory laws and
regulations
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 13
Best Practices for IT Governance

 The goal is to integrate good practices to make sure that the IT
supports the business objectives
 For example, to make sure that the organization is taking full of advantage of its
information in getting maximum benefits
 You can think of this as a structure of relationships and processes that direct and
control moving the organization towards the achievement of its goal
 This is a balancing of risk versus return over the IT processes
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 14
Best Practices for IT Governance Continued
 The reason IT governance has become so important is because of:

 Looking for a better return on IT investments
 Meeting regulatory laws and requirements
 Increasing complexity of IT related risks
 Finding better methods to monitor and improve critical IT activities in order to
remove risk and get better value
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 15
 The following are focus areas for IT governance:

 Strategic alignment: The alignment of business and IT plans
with the organizations objectives
 Value delivery: Making sure that IT can meet the goals of
the promised benefits.This could involve a study of the
strategy, optimizing costs, and validating the value of IT
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 16
 IT governance focus areas continued

 Risk management: Making sure that all are
aware of the risks involved with IT, as well as
knowing the organizations acceptance of risk
 Resource management: Having the right
investment in the proper management of the
critical IT resources which would include the
infrastructure and its people
 Performance measurement: A strategy to
track and monitor projects, resource usage,
process performance and delivery
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 17
IT Governance Frameworks
 COBIT: Developed by ISACA to support IT governance by providing a
framework
 ISO/IEC 27001: A series of standards and best practices to provide
guidance to organizations
 IT infrastructure Library (ITIL): A detailed framework with hands-on
information on how to achieve successful service management of IT
 ISO/IEC 38500: Provides a framework for effective IT governance for
those of the highest level of management to understand and fulfill their
legal and regulatory obligations
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 18
Audit Role in IT Governance

 IT should be governed by best practices that ensure an organization’s
information and related technology support enterprises business
objectives
 By today standards, IT is an intrinsic part of business and not considered a separate
department
 You could say that depending on how IT is applied within the enterprise that it will
have an immense effect on whether or not the enterprise will meet its objectives and
goals
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 19
Audit Role in IT Governance Continued

 Auditing plays a significant role in making IT successful for the
organization
 One of the main goals of an audit is to give recommendations to improve the quality
and effectiveness of IT
 An audit can also monitor compliance and make sure that IT is in compliance
 Reporting on IT governance involves auditing at the highest level in the organization
which can cross departmental boundaries
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 20

 An audit should be defined by:
 The scope of work to be done with a clear definition of the functional areas and
issues
 Who to report to as identified to the highest level of the organization
 The auditor’s right of access to the information both internally and externally to the
organization
 Auditors should remain objective and independent, and if this cannot be
taken care of internally a consideration to hiring a third-party should be
made
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 21

 The IS auditor should assess the following:
 The alignment of the IS function to the organization’s objectives
 If the performance objectives are being achieved
 Compliance to regulatory laws and requirements
 Control environment of the organization
 Inherent risks within the IS environment
 The IT investment or expenditure
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 22
IT Strategy Committee
 One of the recommended best practices is to create an IT strategy
committee
 This committee should not only provide advice on strategy, but also focus on IT’s
value, risks and performance
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 23
IT Balanced Scorecard
 The IT balanced scorecard (BSC) is a process management evaluation
technique used in IT governance. The application of the BSC to IT
follows a three layered structure to address for perspectives:
 Mission
 Strategies
 Measures
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 24
IT Balanced Scorecard Continued

 Mission:
 Deliver economic, effective and efficient IT applications and services
 Obtain good value from IT investments
 Create opportunities to prepare for future challenges
 Strategies:
 Creating superior applications and operations
 Develop user partnerships and better customer services
 Increase service levels and pricing structures
 Control IT expenses
 Provide new business capabilities and other value to IT projects
 Training of the IT staff
 Measures:
 Providing a balanced set of metrics used for IT decisions
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 25
Information Security Governance

 Security is focused around three areas which are confidentiality,
integrity, and availability
 You can think of these as providing continuity of services as well protection of
information assets
 Security is no longer bound to the boundaries of the organization
because of the large growth of technologies such as cloud computing
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 26
Information Security Governance Continued
 When we apply the goals of CIA, it is usually towards the protection of

information. In today’s world information has become one of the most
important components of business for almost all organizations.
 The task of providing the necessary protection for information
resources must now be raised to a board level activity as well as other
governance functions.
 In some aspects we consider this a top-down approach
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 27
 The protection of information is no longer

going to be focused on just the process of
how it is gathered but in all aspects during
the lifetime of that information
 Today we look at securing information both in
transit and at rest
 The focus on full protection of information occurs
because of the vast ability people have to access
information from all parts of the world
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 28
 The risks involved with the security of

information continues to grow
 As organizations maintain their competitive edge in
the global economy, they must also consider the
risks involved in the rising number of threats to all
organizations information
 This is also compounded by the changes and updates
to existing laws and regulations regarding the
protection of information assets
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 29
Importance of Information Security

Governance
 Information security has been a growing concern to most organizations.
Consider the number of systems and processes that are used globally to
handle information along with the risks of attacks, then you can
understand why information security governance has become
increasingly critical
 Good information security governance is more than good business, it’s
also due diligence
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 30
Importance of Information Security

Governance Continued
 The benefits of good IS security governance are:
 The reduction of civil or legal liability as a consequence to providing inaccurate
information or the loss of private information
 Providing and assurance of policy and standards compliance
 Reducing concerns about business operations by lowering risks to acceptable levels
 Providing a structure and framework to optimize limited security resources
 Instilling more confidence that critical decisions are made on altered information
 Providing accountability for business activities such as partnerships, mergers, and
other acquisitions
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 31
Outcomes of Security Governance

 Strategic alignment: Aligning information security with business strategy to
meet the organizational objectives
 Risk management: Working at reducing risk as well as reducing visual
impacts on information resources to an acceptable level
 Value delivery: Optimizing the investment in security
 Performance measurement: Is to measure, monitor and report on
information security processes and how those processes meet the SMART
(specific, measurable, achievable, relevant and time-bound) objectives
 Resource management: Efficient and effective use of information security
 Process integration: Integration of management’s assurance processes for
security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 32
Outcomes of Security Governance Continued
 Integration is the idea of integrating all relevant assurance factors to

make sure that processes operated as intended from end-to-end
 The following should be considered to achieve integration:
 Determine all organizational assurance functions
 Coordinate all assurance functions for more complete security
 Create overlaps between the roles and responsibilities of assurance functions
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 33
Effective Information Security Governance
 The goal of information security is to support the organizations

objectives, making it of good value to the organization. Therefore, there
should be a framework to guide the development and management of
such an information security program.
 This framework may consist of the following:
 A comprehensive security strategy
 Security policies to address each aspect of strategy, controls and regulation
 An organizational structure devoid of conflicts of interest
 Sufficient monitoring processes to ensure compliance and to provide feedback
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 34
Roles and Responsibilities of Senior

Management and Board of Directors
 The best term to remember this is top-down
 Only the Board of Directors and/or senior management can effectively have
governance over information security
 The upper management should have knowledge of the organization’s information
assets and how critical that information is to their business
 This may be a good place for a comprehensive risk assessment and BIA
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 35
Roles and Responsibilities of Senior Management

and Board of Directors Continued
 Senior management: They are involved with effective security
governance. In other words they can lead by example.
 Penalties for noncompliance must be defined, communicated, and enforced from the
top down
 Steering committee: A group of senior representatives of the affected
groups working to achieve consensus on priorities and trade-offs
 CISO: Organizations should have a chief information security officer
whether not they officially have that title. In all cases this job technically
resides with the president or CEO. Legal responsibility will always flow
up the command structure and stop at the top.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 36
Enterprise Architecture
 The EA is responsible for documenting the IT assets in a structured
manner, to facilitate an understanding, management, and planning for the
IT investments. This can also facilitate information for the current state,
and the optimization for a future state (road map).
 EA should help clarify complex technology choices that are faced by today’s
organizations.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 37
Lesson 4: Information Systems Strategy

 Strategic planning is a long-term direction the enterprise wants to take
in working with information technology to better meet the business
objectives
 This would include identifying cost-effective IT solutions
 Addressing problems and opportunities
 Developing action plans for identifying and acquiring needed resources
 This planning is usually a 3 to 5 year process
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 38
Strategic Planning
 This should involve a consideration of the enterprise
requirements for new and revised IT systems
 The plan should determine the requirements for new and
revised systems integrated with the organizations strategic
intentions
 Understanding what IT capabilities will be needed to support
these future plans
 Understanding the costs and risks associated with these
requirements
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 39
Strategic Planning Continued

 The auditor should take the importance of the
strategic planning into consideration
 It’s important that these plans are synchronized to the
organization’s strategies
 The auditor should assess how the plans are taken into
account in the IT strategy formulation
 There should be requirements in place for updating and
communicating plans
 There should also be processes for monitoring and evaluating
the requirements
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 40
Steering Committee
 This committee should know the IS department policies, procedures
and practices.
 Their primary functions are:
 Reviewing long and short range plans
 Review and approve major acquisitions
 Approve and monitor major projects
 Review and approve sourcing strategies whether internal or external
 Review adequacy of resource allocation of resources with regards to time, personnel
and equipment
 The committee should report to the board of directors
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 41
Lesson 5: Maturity and Process Improvement

Models
 The IDEAL model is in of the structure to guide enterprises in planning
and implementing an effective software process improvement program
and is considered a founding strategy employed by many of the software
engineering field
 Capability Maturity Model Integration (CMMI) is a process driven
approach that provides the essential elements of effective processes. It
can be used to guide process improvement for a project, or an entire
organization
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 42
Maturity and Process Improvement Models
 Team Software Process (TSP) is a methodology to guide teams and their

management through a 4 day launch process that establishes goals,
defines roles, assesses risks and produces a comprehensive project plan
 The Personal Software Process (PSP) is a methodology to help manage
quality, improve estimating and planning, and reduce defects in their
products
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 43
Lesson 6: IT Investment and Allocation

Practices
 Each organization has limited resources available to achieve its goals and
objectives. Therefore when an investment in resources is made it would
not be able to use that investment to preserve other efforts they can
bring value to them. Some estimates say that 20-70% of large-scale
investments in IT are wasted, or fail to bring a return to the
organization.
 Traditionally the return on investments was considered a financial
benefit with regards to IT. Today, business leaders also consider the non-
financial benefits of an IT investment
 A non-financial benefit would be one that impacts on operations or mission
performance for example returning improved customer satisfaction
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 44
IT Investment and Allocation Practices

 Value of IT (Val IT) is a framework that has three components:
 Value governance
 Portfolio management
 Investment management
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 45
IT Investment and Allocation Practices Continued
 Value governance
 Establish informed and committed leadership
 Define and implement processes
 Establish effective governance monitoring
 Continuously improve value management practices
 Align and integrate value management with enterprise financial planning
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 46
 Portfolio management
 Establish a mix of strategic direction and target investment
 Determine the availability and source of funds
 Managing of human resources
 Monitor and report on investment performance
 Optimize investment performance
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 47
 Investment management
 Development evaluating initial business case
 Understand the candidate program and implementation options
 Develop the detailed candidate business case
 Develop the program plan
 Launch and manage the program
 Monitor and report on the program
 Creative lifecycle costs and benefits
 Update the operational IT portfolios
 Retirement of the program
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 48
Implement IT Portfolio Management

 Implementation methods include:
 Risk profile analysis
 Diversification projects
 Infrastructure technologies
 Continuing alignment with business goals
 Continuing improvement
 There’s no single best way to implement the IT portfolio approach
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 49
IT Portfolio Management Versus Balanced

Scorecard
 An advantage of IT portfolio management is its ability to adjust
investments
 Balanced scorecards emphasize the use of vision and strategy in any
investment decision but it’s goal is not the management of IT budgets
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 50
Lesson 7: Policies and Procedures

 Policies and procedures are a reflection of management’s guidance and
direction developing controls over information systems
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 51
Policies
 Policies have always been considered high-level documents that
represent the corporate philosophy. Often a policy is considered a
blueprint that an organization will follow.
 It’s important to remember that policies do not contain detailed plans,
rather they are general goals and directives
 You can consider policies to have a hierarchical structure, in that lower-
level policies can be defined for individual divisions and departments but
they should be complementary to the higher-level policy
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 52
Policies Continued
 Some organizations develop a low level policy first based on immediate
needs and priorities
 These may come from the results of a risk assessment
 These may come from problems or outages within the IT department
 The problem with this approach is it may create inconsistencies with

high-level policies
 The proper approach is to follow a top-down approach to the
development of lower-level policies
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 53
Policies Continued
 Policy reviews are important and are part of the audit process
 Policies should have a review date and the auditor should check for how current that
it is
 Policies should be updated to reflect new technology or the changes in environment
such as new regulations
 Policies should be aligned with business objectives and implementation of IS controls
 The auditor should consider whether not the policies may hinder customer
satisfaction or the ability to meet business objectives
 Remember that customer satisfaction may run into conflict with matters of
confidentiality and information security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 54
Information Security Policy

 The security policy should be a coherent security standard for everyone
involved in the organization
 Policies will often set the foundation of what tools and procedures are needed for
the organization
 Policy should balance level of control with the level of productivity
 Policies should be approved by upper management and properly communicated to all
affected employees and/or business partners
 These policies should act as a guide for the entire organization to know what is to
be protected and how it will be protected
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 55
Information Security Policy Continued

 Policy document should contain:
 The overall objectives and scope and importance of security for the organization
 The statement of management intent, is also the supporting goals and principles of
information security
 Framework of control objectives
 Brief explanation of the policies, principles, standards and compliance requirements
to the organization
 This may include any regulatory laws or contractual requirements
 Security education and awareness requirements
 Consequences of policy violations
 General and specific responsibilities for information security management
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 56

 Policy document continued
 This document should be communicated throughout the organization in a form that
is readily available and understandable to the target audience
 This document might be a part of a general policy document and distributed to third
parties
 Employees having access to information assets should be required to sign off on
having read the document and their willingness to comply
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 57

 The policy document could be subdivided into different groups such as:
 A high level information security policy
 A data classification policy
 An acceptable usage policy
 End-user computing policy
 Access control policies
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 58

 The acceptable use policy is of extreme importance to the enterprise
 It is important users understand the risk they can cause the organization by exposing
them to things such as virus attacks or other compromises of the network systems
and services
 It is very common practice to require new employees to sign an acknowledgment
before receiving any access information
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 59

 The importance of reviewing the information security policy
 This should be done at plan intervals or whenever significant changes occurred to
the environment
 The policy must remain adequate and effective under the current state of the
organizations information security department
 During the review, there should be opportunities for further improvement of the
security policy
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 60

 The tasks presented to the IS auditor for policy review should include:
 The basis on which policy was defined, which is hopefully only from a risk
management process
 Contents of the policy
 Any exceptions to the policies including why
 The policy approval process
 How the policy has been implemented
 Employee awareness and training
 An audit of the review and update process
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 61
Procedures
 Procedures are detailed steps that are used to
implement policies. They should be derived from the
parent policy and implement the spirit of the policy
statement
 Procedures should be written clearly and concisely so they can
be easily understood and followed
 These steps should be created by the process owner’s and
reflect a translation of the security policies
 Procedures are more dynamic and may be subject to frequent
change, therefore they should be reviewed more often than
the policy
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 62
Procedures Continued
 The auditors should review the procedures to evaluate
their effectiveness
 The auditor should determine if these procedures meet the control
objectives and at the same time be making the process efficient and
practical
 If the operational practices aren’t in line with the procedures, then
they be documented
 The auditor should make sure that these procedures are well known
by the people who use them. If they’re not well known then
essentially these procedures are ineffective
 The auditor should make sure that these procedures are
documented, understood and implemented
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 63
Lesson 8: Risk Management

 Risk management is the process of identifying vulnerabilities and threats
to your information resources. The results of a risk assessment can help
an organization decide on what countermeasures, if any, they may use to
reduce risk to an acceptable level
 Any risk management should start with an understanding of what is an
acceptable level of risk for the organization. This knowledge will drive all
risk management efforts including the impact on future investments in
technology
 Risk management includes identifying, analyzing, evaluating, treating,
monitoring and communicating the impact of risk on IT processes
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 64
Risk Management Continued

 The level of risk excepted in an organization could be defined as:
 Avoidance: The choice to not implement certain activities or processes that could
be of risk
 Mitigation: The lowering of the probability or impact of risk through appropriate
controls
 Transferring: Sharing the risk of partners or through insurance coverage or other
means
 Acceptance: Acknowledging risk exists and choosing just to monitor for it
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 65
Developing a Risk Management Program

 The steps to develop a risk management program
include:
 Establishing the purpose of the risk management program
which is the first step. This should be the reason for this
program, which might be to reduce cost of insurance or to
reduce the number of program related injuries. Knowing the
purpose helps set up to key performance indicators to
evaluate risk
 Assign responsibility for the plan is the second step. This
would involve assigning a person or team that responsible
for developing and evolving this program
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 66
Risk Management Process

 Risk should be managed consistently and therefore an organization
should have established a repeatable process for the management of
risk
 The ISACA published a risk IT framework to write a risk management
process model that is based on COBIT. This framework has several
processes that it outlines
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 67
Risk Management Process Continued

 One part of the process is the identification classification of the
resources are assets that are vulnerable to threats
 This classification can prioritize each asset or resource
 This process can also enable a standard model of protection to be applied
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 68

 Another step in the process is to assess threats and vulnerabilities as
well as considering the likelihood of their occurrence. A threat does not
mean a hacker, but any event that can cause harm to resources or
information such as:
 Errors
 Malicious damage
 Fraud
 Theft
 Equipment or software failure
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 69

 Relationship between threats and vulnerabilities: A risk occurs because
a threat may exploit a vulnerability
 When a threat does exploit a vulnerability the result is called an impact
 Once all of the risks have been established then they are combined to
form an overall view of risk
 Overall risk can be thought of as the impact multiplied by the probability of the risk
occurring
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 70

 From the overall view, controls can then be
evaluated to determine their ability to reduce
the level of risk. These are often called
countermeasures or safeguards
 This could be a new procedure
 A new hardware control
 Or any combination of actions, devices, procedures
or techniques
 Once risk has been reduced what remains is
called residual risk
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 71

 Risk management should operate at multiple
levels
 At the operational level you’d be concerned with risks
that could compromise IT systems and the supporting
structure, such as the ability to bypass controls
 At the project level risk management should focus on the
ability to understand and manage project complexity
otherwise the objectives may not be met
 The strategic level the focus of risk will shift to how well
IT is aligned with the business strategy
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 72
Risk Analysis Methods

 There are three methods that we will discuss in this section and they
are qualitative, semi-quantitative and quantitative risk management
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 73
Risk Analysis Methods Continued

 Qualitative analysis is often thought of as a descriptive method of
analyzing risk
 This process is normally based on checklists using subjective ratings
 Semi-quantitative analysis is similar to a qualitative in that the

descriptive rankings are usually associated with some sort of numeric
scale
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 74

 Quantitative analysis uses actual numeric values to be able to describe
the likelihood and impact of risk
 Historic records
 Past experiences
 Industry practices and records
 Testing and experiments
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 75

 A quantitative risk analysis is often done during a business impact
analysis. One of the weaknesses of this method is on the valuation of an
asset as well is quantifying any ripple effects to the loss of that asset
 Probability of expectancy is a method based on classical theories. Even
with natural phenomenon there are many variables that can affect the
outcome of the probability that an event occurs
 Generally an event will be denoted as a percentage of that event occurring
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 76

 One equation used for a quantitative risk analysis is called the annual
loss expectancy (ALE). This approach can help simplify the assignment of
a value of probability in a way that’s easier to quantify.
 This equation requires the value of the asset, the probability of an event occurring,
and the single loss expectancy (SLE)
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 77
Lesson 9: IS Management Practices

 Management practices should reflect the implementation policies and
procedures. These practices might include areas such as:
 Personnel management
 Sourcing
 IT change management
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 78
Human Resource Management

 These policies would relate to procedures for
 Hiring
 Training
 Evaluating
 Promoting staff
 Disciplinary actions
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 79
Human Resource Management Continued

 Hiring practices are important to make sure that effective and efficient
staff are chosen and the companies are within legal compliance of hiring
laws
 Background checks
 Confidentiality agreements
 Conflict of interest agreements
 Non-competes
 Code of ethics
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 80

 Employee handbook should be made available to all employees at the
time of hire
 Promotion policies should be evaluated as being fair and equitable and
understood by employees
 Training should be provided on regular basis to all employees
 Scheduling and time reporting
 Employee performance evaluations
 Required vacations: This is especially useful in detecting signs of fraud
or other abuses
 Termination policies
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 81

 Sourcing practices relate to the way in which and organizational obtains
the IS functions required to support the business. The sourcing strategy
considers each IS function to determine what approach to follow. The
options might be:
 Insourced
 Outsourced
 Hybrid
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 82

 Sourcing policies should evaluate IS functions to determine the best
method of delivery given consideration to:
 IS core function
 IS specific knowledge, processes and staff critical to meeting the goals and objectives
 Can this function be performed by a third-party for the same or lower price
 Does your IS have experience working with third parties
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 83

 Outsourcing practices should be evaluated against the contractual
agreements under which the organization hands over control of its IS
functions.
 Reasons for outsourcing could include:
 A desire to focus on core activities
 Pressure on profit margins
 Becoming more competitive
 Flexibility for the organization
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 84
 Outsourcing considerations should include continued:

 Using service quality expectations such as the compatibility maturity model, ITIL or ISO
methodologies
 Determining the types of access control, security administration, and who maintains
control
 Determining the change/version control and testing requirements in the contract
 Stating specific and defined performance parameters that must be met
 Provisions for contractual changes
 A path for disputes escalation and resolution
 Identification of all subcontractors relationships
 Much of this information is often included in a service level agreement (SLA)
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 85

 Issues of worldwide practices and strategies should be considered in
determining whether or not outsourced function for reasons such as:
 Legal, regulatory and tax issues
 Continuity of operations
 Personnel
 Telecommunication issues
 Cross-border and cross-cultural issues
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 86

 Options for auditing a third-party
 The SLA may require a third-party audit
 The audit and its results should be available to the IS auditor, and to be found
acceptable
 The auditor could be allowed periodic review by the user’s auditor of the
organization
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 87

 Governance and outsourcing is a mechanism that allows organizations
to transfer the delivery of services to third parties
 It is important to remember that liability ultimately rests with hiring organization’s
management
 The outsourcing decision should be strategic and not really thought of as a
procurement
 It’s best if non-core processes are outsourced as opposed to key processes
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 88

 Outsourcing could be used to make an organization more competitive
but only if the organization understands which parts of its processes
would give them the competitive advantage
 As a strategic resource outsourcing should be governed accordingly
 Governance of outsourcing is a set of responsibilities, roles, objectives, and controls
required to manage third-party provided services
 The governance of outsourcing should extend to both parties through the use of
SLAs and operating level agreements (OLAs)
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 89

 Current approaches to outsourcing governance should be preplanned and
built into the contract as part of the service cost optimization
 Another reason for outsourcing may be an issue of capacity and growth
planning that is currently not sufficient to handle the needs or support of
the organization
 Outsourced services should have a system of monitoring and review in
place
 Monitoring to check for IT assurances to the agreements
 Reviewing service reports
 Gaining information about information security incidents
 Review of third-party audits
 Resolving any identified problems
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 90

 Outsourced contracts can include service improvement expectations
 Such as reductions in the number of helpdesk calls
 Reductions in the number of system errors
 Improvements to system availability
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 91
Organizational Change Management

 Organizational change management involves the use of defined and
documented processes to identify and apply technology improvements
as needed
 Having a high level of involvement and communication will make sure that the IS
department understands the user expectations and the changes are not resisted or
ignored once submitted
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 92
Financial Management Practices

 Financial management is a critical part of all business functions which
means its sound financial management practices must be in place
 One option may be a user-pays scheme which is a form of chargeback to improve
application monitoring of IS expenses
 Chargeback as an option is a joint responsibility of the IS management and user
management
 IS management, like all of the departments, must have a budget
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 93
Quality Management
 Quality management is a means by which IS department processes are
controlled, measured and improved. Areas of control for quality
management might include:
 Software development
 Acquiring new hardware and software
 Day-to-day operations
 Service management
 Security
 HR management
 General administration
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 94
Quality Management Continued

 Quality management should be defined, documented and used as
evidence of effective governance of information resources. Insistence
should be made that the observance of processes and related process
management techniques are followed for effectiveness and efficiency
 One growing standard that is receiving wide recognition is the ISO 9001:2000
entitled quality management systems.This standard applies to all types of
organizations and can be service or product oriented
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 95
Quality Management Continued

 A gap analysis can assist an organization in meeting this ISO
requirement by locating where the company is not in compliance with
the standards
 A part of gaining certification is to ensure that up-to-date process
documentation exists for the main functions within the IS organization
 The standard requires a set of mandatory quality records be maintained
 The certification mirrors the ITIL V2 service support and service delivery disciplines,
which promotes the use of an integrated process approach for the delivery of IT
services.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 96
Information Security Management

 Information security management provides a lead role to make sure that
organizations information is properly protected.
 Risk assessment can be crucial to help develop the following:
 Business impact analysis
 Business continuity plans
 Disaster recovery plans
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 97
Performance Optimization
 Measuring IT performance can be a dynamic process especially given
how today’s environment is complex and changing
 This process can be driven by performance indicators which can also be complex
based on the organizations business operations and processes
 Optimization has a goal of improving productivity of information systems without
additional IT investment in infrastructure
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 98
Performance Optimization Continued

 Some of the performance measurements might include:
 Model which is first built to evaluate the performance and alignment with business
objectives
 Measurement errors should be evaluated to account for true inputs and outputs
 Time lags between expense and benefits should be accounted for in current
measures
 IT is used to redistribute the source of costs in firms
 The lack of explicit measures of the value of information make a resource for
vulnerable to being used improperly or overused by managers which would be an
indication of mismanagement
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 99
Performance Optimization Continued

 Good performance management systems should have leadership, a
framework, good communications, and accountability for the results.
Rewards, compensation and recognition should be linked to
performance measures.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 100
Lesson 10: IS Organizational Structure and

Responsibilities
 An organization can be structured in a variety of different ways using
different job descriptions and therefore the CISA exam will not make
test questions on specific job responsibilities.
 Instead of the reference to universally known responsibilities such as
business owners, information security functions, and executive
management that might be asked about on the exam
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 101
IS Roles and Responsibilities

 Systems development manager is responsible for programmers and analysts
 Project managers are responsible for planning and executing IS projects
 Service desk is a unit within an organization respond to technical questions and
problems faced by users
 End-user would be the person responsible for operations related business
applications
 End-user support manager acts as a liaison between the IS department and end
users
 Data management would be responsible for the data architecture and tasked with
managing data as an asset
 QA manager is responsible for negotiating and facilitating quality activities in all areas
of IT
 Information security management is a function separate from the IS department and
headed by the CISO
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 102
IS Roles and Responsibilities Continued

 Operations manager is responsible for computer operations personnel, including all
staff required to run the computer systems efficiently and effectively
 Control group is responsible for the collection, conversion and control of input and
balancing and distribution of output to the users
 Media management is a required record, issue, receive and safeguard all program and
data files that are found on removable media
 Data entry is critical to the information process activity
 Systems administration is responsible for maintaining major multiuser computer
systems which might include the LAN, WLAN, and other network types
 Security administrator should be defined in the security. Segregation of duties should
be employed where practical
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 103
IS Roles and Responsibilities Continued

 Database administrator is the custodian of an organization’s data, defines
and maintains the data structures in the database system
 Systems analyst are specialists who design systems based on the needs of
the user and often used during initial phase of the SDLC
 Security architects evaluate security technology, design security aspects of
network topology, access control, identity management and other security
systems
 Application staff would be developing and maintaining applications
 Infrastructure staff are responsible for maintaining the system software’s
including the operating systems
 Network management would be taking care of the different network types
 Network administrators are responsible for key components such as
routers, switches, firewalls etc.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 104
Segregation of Duties
 For the purposes of security, and when practical, no one person should
be responsible for diverse and critical functions such as:
 Custody of assets
 Authorization
 Recording transactions
 If duties cannot be segregated then you might consider the use of

compensating controls to reduce the risk of a potential weakness
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 105
Segregation of Duties Controls

 Transaction authorization is a responsibility of the user department
 Custody of assets should be determined and assigned appropriately
 Access to data can be a combination of physical, system, and application
security
 Consider using authorization forms
 Consider using authorization tables
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 106
Compensating Controls for Lack of

Segregation
 Audit trails are an essential component of any well-designed system
 Reconciliation may be performed by the data control group through use
of control totals balance sheets
 Exception reporting should be handled at the supervisory level and
require evidence
 Transaction logs, whether manual or automated are records of data
transactions
 Supervisor reviews done through observation and inquiry
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 107
Lesson 11: Auditing IT Governance Structure

and Implementation
 As an auditor, there are many conditions which you should be
concerned about, but some of the more significant indicators of
potential problems might include:
 Unfavorable end-user attitudes
 Excessive costs
 Late projects
 High staff turnover
 Frequent hardware/software errors
 Extensive exception reports
 Poor motivation
 Too few key personnel
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 108
Reviewing Documentation
 The following documents should be reviewed

 IT strategies, plans and budgets to show evidence of planning and management control
 Security policy documentation to provide the standard for compliance
 Organizational/functional charts for the auditor to understand reporting line within a
department
 Job descriptions to define the various functions and responsibilities throughout the
organization
 Steering committee reports to provide documented information about new system
projects
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 109
Reviewing Documentation Continued

 Documents to be reviewed continued
 System development and program change procedures to provide a framework for
change
 Operations procedures to describe the responsibilities of the operations staff
 HR manuals to provide rules and regulations for employee conduct
 QA procedures to uses a framework of standards followed by the IS department
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 110
Reviewing Contractual Commitments

 This includes hardware, software, and IS service contracts such as:
 SLA’s, bidding and selection process, contract acceptance, maintenance and
compliance
 The review of the contracts by the auditor should evaluate some the
following:
 Service levels
 Third-party audits
 Software escrow
 Penalties for noncompliance
 Contract changes
 Adherence to security policies and procedures
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 111
Lesson 12: Business Continuity Planning

 Failures and disasters can happen, and it is important that a business be
capable of continuing to run in the event of a disruption
 The first step of preparing a BCP is to determine what processes are
most is important
 Based on those key processes, management should begin a risk assessment to
determine the impact those processes have on the organization
 List of potential vulnerabilities
 Human resources, data, and infrastructure elements support the process
 The probability of the occurrence of the threat
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 112
Business Continuity Planning Continued

 A BCP should address all functions and assets that must continue to
make the organization viable
 The focus is on the availability of key business processes to be able to continue
operations
 The design of BCP is the primary responsibility of senior management
 BCP should take into consideration the critical operations and the
resources required to support them
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 113
Business Continuity Planning Continued

 Disaster recovery plans work with BCP to recover a facility that was
rendered inoperable
 Depending on the complexity of the facility, there may be a number of
different DRP’s, all of which can be integrated into a single plan
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 114
IS Business Continuity Planning

 IS business continuity planning has the same approach as a corporate
plan in that the goal is the continuation of IS processing
 The BCP should be aligned with the strategy of the organization
 A priority list should be made of the various application systems
 Remember to consider the premises among critical business processes in the BCP
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 115
Disasters and Other Disruptive Events

 Disasters can be a long disruption period, which of course could
severely impact the organizational operations
 Natural calamities
 Power grid
 Telecommunications
 Energy supplies
 Terrorist attacks
 Hackers
 Human error
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 116
Disasters and Other Disruptive Events

Continued
 Based on risk assessment, worst-case scenarios and short-term and
long-term strategies should be included in the BCP
 For example, a long-term plan may require a new permanent facility
 A severe disruption could damage the image, reputation or brand of the organization
therefore may consider PR as part of the BCP
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 117
Business Continuity Planning Process
BCP Monitoring,
Project Planning: Maintenance, BC Plan Testing
BCP Project Scope Updating
BC Awareness
Training
Risk Assessment and Business Continuity
Analysis Planning Life Cycle
BC Plan
Development
BC Strategy
BIA
Development Strategy Execution
(risk
countermeasures
Implementation)
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 118
Business Continuity Policy

 This is a document approved by top management to define the extent
and scope of business continuity’s efforts within the organization
 The BCP should have an internal and public portion
 Internally, is your message to the stakeholders of the efforts the company is
undertaking to restore services
 Publicly, the message is for external stakeholders showing the organization is having
its obligations seriously
 A BCP should be communicated to all responsible parties rather than
after the disaster occurs
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 119
Business Impact Analysis

 The BIA is a critical step in creating a proper
business continuity strategy
 BIA is used in evaluating critical processes
 Acceptable downtimes
 Priorities
 Resources and interdependencies
 For successful BIA, the key business processes and

resources should be fully understood
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 120
Business Impact Analysis Continued

 There are two different approaches to conduct a BIA:
 The questionnaire approach circulates forms to key users in IT and end-user areas
 This information can be gathered, time related and analyzed
 Another approach is interview groups of key users

 This information is also tabulated and analyzed to provide a BIA plan strategy
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 121
Classification of Operations and Criticality

Analysis
 The BIA should determine a systems risk ranking, and determine the
maximum time that a particular system can be down.
 These classifications can be as follows:
 Critical are those functions that can’t be performed unless replaced identical
capabilities.These cannot be replaced by manual methods
 Vital are functions that can be handled manually but only for a brief amount of time
 Sensitive are functions that can be performed manually with a tolerable cost for
extended time
 Non-sensitive are functions that can be interrupted for extended periods of time
with little or no cost to the company
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 122
Development of Business Continuity Plans
 The input from the BIA, criticality analysis and recovery strategy can be
used to create detailed BCP and DRP.
 The factors that should be considered while developing the plan are:
 Pre-disaster readiness
 Evacuation procedures
 Procedures for declaring a disaster
 Identify the responsibilities of the plan
 Identifying those responsible for each part of the plan
 A step-by-step explanation the recovery process
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 123
Other Issues and Plan Development

 Management and user involvement is mandatory for the success of the
BCP
 Management identifies the critical systems as well as criticality and the resources
needed
 Recovery is the purpose of BCP therefore the entire organization must be
considered
 The following items should be included during the formulation of the
plan:
 The staff involved
 Facilities and equipment needed
 Any other resource required to resume operations
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 124
Components of a BCP
 Key decision-making personnel
 Which include a telephone list or calling tree
 Backup of required supplies

 The plan should have provisions for all of the
necessary supplies to continue normal business
activities
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 125
Components of a BCP Continued

 Insurance information
 IS equipment and facilities
 Media reconstruction
 Extra expense
 Business interruption
 Valuable papers and records
 Errors and omissions
 Fidelity coverage
 Media transportation
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 126
BCP Testing
 If it’s at all possible an organization should conduct a full-scale test of all
operational portions of the organization, which is rarely done.
 Such a test should be scheduled at a time of minimal disruptions to normal
operations
 The test should try to accomplish the following:
 Verify the precision of the BCP
 Evaluating personnel involvement
 Evaluate third-party vendors
 Test the vital records retrieval capability
 Measure of overall performance
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 127
BCP Testing Continued

 To perform testing the following test phases should be completed
 Pretests which is a set of actions to pre-stage for the actual test
 Test the real action of the business continuity test
 Post-test you would clean up the groups activities and recap the evaluation and
limitations of the test
 Other testing options:
 Paper test
 Preparedness test
 Full operational test
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 128
BCP Testing Continued

 The results of the test must be measured to align with the success of
the plan.
 The metrics that are gathered would be:
 Elapsed time to complete each task
 Amount of work performed at the backup site
 Number of records successfully carried to the backup site
 Accuracy of the data entry at the recovery site
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 129
BCP Maintenance
 As with all plans, there should be periods of review of the BCP. It is
likely that any of the following factors might impact the BCP
requirements and require an updated plan
 New business processes, new departments, changes in personnel
 New resources may be developed or acquired
 Changes in business strategy
 Hardware or software changes
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 130
Summary of BCP
 Conduct a risk assessment
 Prepare BIA
 Choose appropriate controls and measures for covering components
 Develop a detailed DRP
 Develop a detailed BCP
 Test the plans
 Maintain the plans
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Review Questions:
1. What is the lowest level of the IT governance maturity model where an IT balanced
scorecard exists?
A. Repeatable but Intuitive
B. Defined
C. Managed and Measurable
D. Optimized
2. Which of the following should be the MOST important consideration when deciding areas of
priority for IT governance implementation?
A. Process maturity
B. Performance indicators
C. Business risk
D. Assurance reports
3. The MOST significant level of effort for business continuity planning (BCP) generally is
required during the:
A. Testing stage
B. Evaluation stage
C. Maintenance stage
D. Early stages of planning
4. Which of the following is a continuity plan test that uses actual resources to simulate a
system crash to cost-effectively obtain evidence about the plan's effectiveness?
A. Paper test
B. Post test
C. Preparedness test
D. Walk-through
5. Which of the following is MOST critical during the business impact assessment phase of
business continuity planning?
A. End-user involvement
B. Senior management involvement
C. Security administration involvement
D. IS auditing involvement
6. Who is accountable for maintaining appropriate security measures over information assets?
A. Data and systems owners
B. Data and systems users
C. Data and systems custodians
D. Data and systems auditors
7. Who is ultimately responsible and accountable for reviewing user access to systems?
A. Systems security administrators
B. Data custodians
C. Data owners
D. Information systems auditors
8. Although BCP and DRP are often implemented and tested by middle management and end
users, the ultimate responsibility and accountability for the plans remain with executive
management, such as the _______________.
A. Security administrator
B. Systems auditor
C. Board of directors
D. Financial auditor
9. As an outcome of information security governance, strategic alignment provides:

A. Security requirements driven by enterprise requirements
B. Baseline security following best practices
C. Institutionalized and commoditized solutions
D. An understanding of risk exposure
Answer Key:
1. B
Defined (level 3) is the lowest level at which an IT balanced scorecard is defined.
2. C
Priority should be given to those areas which represent a known risk to the enterprise's
operations. The level of process maturity, process performance and audit reports will feed
into the decision making process. Those areas that represent real risk to the business should
be given priority.
3. D
Company.com in the early stages of a BCP will incur the most significant level of program
development effort, which will level out as the BCP moves into maintenance, testing and
evaluation stages. It is during the planning stage that an IS auditor will play an important
role in obtaining senior management's commitment to resources and assignment of BCP
responsibilities.
4. C
A preparedness test is a localized version of a full test, wherein resources are expended in
the simulation of a system crash. This test is performed regularly on different aspects of the
plan and can be a cost-effective way to gradually obtain evidence about the plan's
effectiveness. It also provides a means to improve the plan in increments.
5. A
End-user involvement is critical during the business impact assessment phase of business
continuity planning.
6. A
Data and systems owners are accountable for maintaining appropriate security measures
over information assets.
7. C
Data owners are ultimately responsible and accountable for reviewing user access to
systems.
8. C
Although BCP and DRP are often implemented and tested by middle management and end
users, the ultimate responsibility and accountability for the plans remain with executive
management, such as the board of directors.
9. A
Information security governance, when properly implemented, should provide four basic
outcomes: strategic alignment, value delivery, risk management and performance
measurement. Strategic alignment provides input for security requirements driven by
enterprise requirements. Value delivery provides a standard set of security practices, i.e.,
baseline security following best practices or institutionalized and commoditized solutions.
Risk management provides an understanding of risk exposure.

Cisa WB02

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisa WB02

Uploaded by

Copyright:

Available Formats

Certified Information Systems Auditor (CISA)

Module 2 - Governance and Management of IT

Lesson 1: Corporate Governance

Corporate Governance Continued

 Be a platform for the protection of stakeholders by dividing responsibilities to the

Corporate Governance Continued

Lesson 3: IT Monitoring and Assurance

IT Monitoring and Assurance Practices for

IT Monitoring and Assurance Practices for

IT Monitoring and Assurance Practices for

Best Practices for IT Governance

Best Practices for IT Governance Continued

 The reason IT governance has become so important is because of:

Best Practices for IT Governance Continued

 The following are focus areas for IT governance:

Best Practices for IT Governance Continued

 IT governance focus areas continued

Audit Role in IT Governance

Audit Role in IT Governance Continued

Audit Role in IT Governance Continued

Audit Role in IT Governance Continued

IT Balanced Scorecard Continued

Information Security Governance

Information Security Governance Continued

 When we apply the goals of CIA, it is usually towards the protection of

Information Security Governance Continued

 The protection of information is no longer

Information Security Governance Continued

 The risks involved with the security of

Importance of Information Security

Importance of Information Security

Outcomes of Security Governance

Outcomes of Security Governance Continued

 Integration is the idea of integrating all relevant assurance factors to

Effective Information Security Governance

 The goal of information security is to support the organizations

Roles and Responsibilities of Senior

Roles and Responsibilities of Senior Management

Lesson 4: Information Systems Strategy

Strategic Planning Continued

Lesson 5: Maturity and Process Improvement

Maturity and Process Improvement Models

 Team Software Process (TSP) is a methodology to guide teams and their

Lesson 6: IT Investment and Allocation

IT Investment and Allocation Practices

IT Investment and Allocation Practices Continued

IT Investment and Allocation Practices Continued

IT Investment and Allocation Practices Continued

Implement IT Portfolio Management

 There’s no single best way to implement the IT portfolio approach

IT Portfolio Management Versus Balanced

Lesson 7: Policies and Procedures

 The problem with this approach is it may create inconsistencies with

Information Security Policy

Information Security Policy Continued

 General and specific responsibilities for information security management

Information Security Policy Continued

Information Security Policy Continued

Information Security Policy Continued

Information Security Policy Continued

Information Security Policy Continued

Lesson 8: Risk Management