ISACA - PowerPoint PPT Presentation

1 / 80
About This Presentation
Title:

ISACA

Description:

... functions in-house or outsource all functions across the ... Help desk. End user. End user support manager. 2.8.1 IS Roles and Responsibilities (continued) ... – PowerPoint PPT presentation

Number of Views:321
Avg rating:3.0/5.0
Slides: 81
Provided by: brett82
Category:
Tags: isaca | desk | help | outsource

less

Transcript and Presenter's Notes

Title: ISACA


1
ISACA
The recognized global leader in IT
governance, control, security and assurance
2
Chapter 2IT Governance
2008 CISA? Review Course
3
Chapter Outline
2.1 Introduction 2.2 Corporate
governance 2.3 Monitoring and assurance
practices for board and executive management 2.4
Information systems strategy 2.5 Policies
and procedures 2.6 Risk management 2.7 IS
management practices 2.8 IS organizational
structure and responsibilities 2.9 Auditing IT
governance structure and implementation 2.10
Case study
4
2.1.1 Course Objectives
  • Review outline of chapter
  • Discuss Task and Knowledge Statements
  • Discuss specific topics within the chapter
  • Case studies
  • Sample questions

5
Exam Relevance
Ensure that the CISA candidate Understands
and can provide assurance that the organization
has the structure, policies, accountability
mechanisms and monitoring practices in place to
achieve the requirements of corporate governance
of IT. The content area in this
chapter will represent approximately 15
of the CISA examination (approximately
30 questions).
6
2.1.2 Chapter 2 Task Statements
T2.1 Evaluate the effectiveness of IT governance
structure to ensure adequate board control over
the decisions, directions and performance of IT,
so it supports the organizations strategies and
objectives. T2.2 Evaluate IT organizational
structure and human resources (personnel)
management to ensure that they support the
organizations strategies and objectives. T2.3
Evaluate the IT strategy and process for their
development, approval, implementation and
maintenance to ensure that they support the
organizations strategies and objectives.
7
2.1.2 Chapter 2 Task Statements (continued)
T2.4 Evaluate the organizations IT policies,
standards, procedures and processes for their
development, approval, implementation and
maintenance to ensure that they support the IT
strategy and comply with regulatory and legal
requirements. T2.5 Evaluate management practices
to ensure compliance with the organizations IT
strategy, policies, standards and procedures.
T2.6 Evaluate IT resource investment, use and
allocation practices to ensure alignment with the
organizations strategies and objectives.
8
2.1.2 Chapter 2 Task Statements (continued)
T2.7 Evaluate IT contracting strategies and
policies and contract management practices to
ensure that they support the organizations
strategies and objectives. T2.8 Evaluate risk
management practices to ensure that the
organizations IT-related risks are properly
managed. T2.9 Evaluate monitoring and assurance
practices to ensure that the board and executive
management receive sufficient and timely
information about IT performance.
9
2.1.3 Chapter 2 Knowledge Statements
KS2.1 Knowledge of the purpose of IT strategies,
policies, standards and procedures for an
organization and the essential elements of each
KS2.2 Knowledge of IT governance
frameworks KS2.3 Knowledge of the processes for
the development, implementation and maintenance
of IT strategies, policies, standards and
procedures (e.g., protection of information
assets, business continuity and disaster
recovery, systems and infrastructure life cycle
management, and IT service delivery and support)
10
2.1.3 Chapter 2 Knowledge Statements (continued)
KS2.4 Knowledge of quality management strategies
and policies KS2.5 Knowledge of organizational
structure, roles and responsibilities related to
the use and management of IT KS2.6 Knowledge of
generally accepted international IT standards and
guidelines KS2.7 Knowledge of enterprise IT
architecture and its implications for setting
long-term strategic decisions
11
2.1.3 Chapter 2 Knowledge Statements (continued)
KS2.8 Knowledge of risk management methodologies
and tools KS2.9 Knowledge of the use of control
frameworks (e.g., COBIT, COSO, ISO
17799) KS2.10 Knowledge of the use of maturity
and process improvement models (e.g., Capability
Maturity Model CMM, COBIT) KS2.11 Knowledge of
contracting strategies, processes and contract
management practices KS2.12 Knowledge of
practices for monitoring and reporting of IT
performance (e.g., balanced scorecards, key
performance indicators KPIs)
12
2.1.3 Chapter 2 Knowledge Statements (continued)
KS2.13 Knowledge of relevant legislative and
regulatory issues (e.g., privacy, intellectual
property, corporate governance requirements)
KS2.14 Knowledge of IT human resources
(personnel) management KS2.15 Knowledge of IT
resource investment and allocation practices
(e.g., portfolio management, return on
investment ROI)
13
2.2 Corporate Governance
  • Ethical corporate behavior by directors or others
    charged with governance in the creation and
    presentation of wealth for all stakeholders
  • The distribution of rights and responsibilities
    among different participants in the corporation,
    such as board, managers, shareholders and other
    stakeholders
  • Establishment of rules to manage and report on
    business risks

14
2.3 Monitoring and AssurancePractices for Board
and Executive Management
  • Enterprises are governed by generally accepted
    good or best practices, the assurance of which is
    provided by certain controls. From these
    practices flows the organizations direction,
    which indicates certain activities using the
    organizations resources. The results of these
    activities are measured and reported on,
    providing input to the cyclical revision and
    maintenance of controls.
  • IT is also governed by good or best practices
    that ensure that the organizations information
    and related technology support its business
    objectives, its resources are used responsibly,
    and its risks are managed appropriately.

15
2.3 Monitoring and AssurancePractices for Board
and Executive Management (continued)
  • Effective enterprise governance focuses
    individual and group expertise and experience on
    specific areas where they can be most effective
  • IT governance is concerned with two issues that
    IT delivers value to the business and that IT
    risks are managed
  • IT governance is the responsibility of the board
    of directors and executive management

16
Practice Question
2-1 IT governance ensures that an organization
aligns its IT strategy with A. enterprise
objectives. B. IT objectives. C. audit
objectives. D. control objectives.
17
2.3.1 Best Practices for IT Governance
  • IT governance is a structure of relationships

18
2.3.1 Best Practices for IT Governance (continued)
  • Audit Role in IT Governance
  • Audit plays a significant role in the successful
    implementation of IT governance within an
    organization
  • Reporting on IT governance involves auditing at
    the highest level in the organization and may
    cross division, functional or departmental
    boundaries

19
2.3.1 Best Practices for IT Governance (continued)
  • The organizational status and skill sets of the
    IS auditor should be considered for
    appropriateness with regard to the nature of the
    planned audit.
  • In accordance with the defined role of the IS
    auditor, the following aspects related to IT
    governance need to be assessed
  • The IS functions alignment with the
    organizations mission, vision, values,
    objectives and strategies
  • The IS functions achievement of performance
    objectives established by the business
    (effectiveness and efficiency)
  • Legal, environmental, information quality, and
    fiduciary and security requirements
  • The control environment of the organization
  • The inherent risks within the IS environment

20
2.3.2 IT Strategy Committee
  • The creation of an IT strategy committee is an
    industry best practice
  • Committee should broaden its scope to include not
    only advice on strategy when assisting the board
    in its IT governance responsibilities, but also
    to focus on IT value, risks and performance

21
2.3.3 Standard IT Balanced Scorecard
  • A process management evaluation technique that
    can be applied to the IT governance process in
    assessing IT functions and processes
  • Method goes beyond the traditional financial
    evaluation
  • One of the most effective means to aid the IT
    strategy committee and management in achieving IT
    and business alignment

22
2.3.4 Information Security Governance
  • Focused activity with specific value drivers
  • Integrity of information
  • Continuity of services
  • Protection of information assets
  • Integral part of IT governance

23
2.3.4 Information Security Governance (continued)
  • Importance of Information Security Governance
  • Information security (Infosec) covers all
    information processes, physical and electronic,
    regardless of whether they involve people and
    technology or relationships with trading
    partners, customers and third parties.
    Information security is concerned with all
    aspects of information and its protection at all
    points of its life cycle within the organization.

24
2.3.4 Information Security Governance (continued)
  • Effective information security can add
    significant value to an organization by
  • Providing greater reliance on interactions with
    trading partners
  • Improving trust in customer relationships
  • Protecting the organizations reputation
  • Enabling new and better ways to process
    electronic transactions

25
2.3.4 Information Security Governance (continued)
  • Outcomes of Security Governance
  • Strategic alignmentalign with business strategy
  • Risk managementmanage and execute appropriate
    measures to mitigate risks
  • Value deliveryoptimize security investments
  • Resource managementutilize information security
    knowledge and infrastructure efficiently and
    effectively
  • Performance measurementmeasure, monitor and
    report on information security processes to
    ensure objectives are achieved

26
2.3.4 Information SecurityGovernance (continued)
  • Effective Information Security Governance
  • To achieve effective information security
    governance, management must establish and
    maintain a framework to guide the development and
    management of a comprehensive information
    security program that supports business
    objectives
  • This framework provides the basis for the
    development of a cost-effective information
    security program that supports the organizations
    business goals.

27
2.3.4 Information SecurityGovernance (continued)
  • Information security governance requires
  • strategic direction and impetus from
  • Boards of directors / senior management
  • Executive management
  • Steering committees
  • Chief information security officers

28
2.3.5 Enterprise Architecture
  • Involves documenting an organizations IT assets
    in a structured manner to facilitate
    understanding, management and planning for IT
    investments
  • Often involves both a current state and optimized
    future state representation

29
2.3.5 Enterprise Architecture (continued)
  • The Basic Zachman Framework

30
2.3.5 EnterpriseArchitecture (continued)
  • The Federal Enterprise Architecture (FEA)
    hierarchy
  • Performance
  • Business
  • Service component
  • Technical
  • Data

31
2.4.1 Strategic Planning
  • From an IS standpoint, strategic planning relates
    to the long-term direction an organization wants
    to take in leveraging information technology for
    improving its business processes
  • Effective IT strategic planning involves a
    consideration of the organizations demand for IT
    and its IT supply capacity

32
2.4.1 Strategic Planning(continued)
  • The IS auditor should pay attention to the
    importance of IT strategic planning
  • Focus on the importance of a strategic planning
    process or planning framework
  • Consider how the CIO or senior IT management are
    involved in the creation of the overall business
    strategy

33
Practice Question
2-2 Which of the following would be included in
an IS strategic plan? A. Specifications for
planned hardware purchases B. Analysis of future
business objectives C. Target dates for
development projects D. Annual budgetary targets
for the IS department
34
Practice Question
2-3 Which of the following BEST describes an IT
departments strategic planning process? A. The
IT department will have either short-range or
long-range plans depending on the organizations
broader plans and objectives. B. The IT
departments strategic plan must be time- and
project-oriented, but not so detailed as to
address and help determine priorities to meet
business needs. C. Long-range planning for the IT
department should recognize organizational goals,
technological advances and regulatory
requirements. D. Short-range planning for the IT
department does not need to be integrated into
the short-range plans of the organization since
technological advances will drive the IT
department plans much quicker than organizational
plans.
35
2.4.2 Steering Committee
  • An organizations senior management should
    appoint a planning or steering committee to
    oversee the IS function and its activities
  • A high-level steering committee for information
    technology is an important factor in ensuring
    that the IS department is in harmony with the
    corporate mission and objectives

36
2.5.1 Policies
  • High-level documents
  • Represent the corporate philosophy of an
    organization
  • Must be clear and concise to be effective

37
2.5.1 Policies (continued)
  • Management should review all policies carefully
  • Policies need to be updated to reflect new
    technology and significant changes in business
    processes
  • Policies formulated must enable achievement of
    business objectives and implementation of IS
    controls

38
2.5.1 Policies (continued)
  • Information Security Policies
  • Communicate a coherent security standard to
    users, management and technical staff
  • Must balance the level of control with the level
    of productivity
  • Provide management the direction and support for
    information security in accordance with business
    requirements, relevant laws and regulations

39
2.5.1 Policies (continued)
  • Information Security Policy Document
  • Definition of information security
  • Statement of management intent
  • Framework for setting control objectives
  • Brief explanation of security policies
  • Definition of responsibilities
  • References to documentation

40
2.5.1 Policies (continued)
  • Review of the Information Security Policy
    Document
  • Should be reviewed at planned intervals or when
    significant changes occur to ensure its
    continuing suitability, adequacy and
    effectiveness
  • Should have an owner who has approved management
    responsibility for the development, review and
    evaluation of the security policy
  • Review should include assessing opportunities for
    improvement to the organizations information
    security policy

41
2.5.2 Procedures
  • Detailed documents
  • Must be derived from the parent policy
  • Must implement the spirit (intent) of the policy
    statement
  • Procedures must be written in a clear and concise
    manner
  • An independent review is necessary to ensure that
    policies and procedures have been properly
    documented, understood and implemented

42
2.6 Risk Management
  • The process of identifying vulnerabilities and
    threats to the information resources used by an
    organization in achieving business objectives

43
2.6.1 Developing a Risk Management Program
  • To develop a risk management program
  • Establish the purpose of the risk management
    program
  • Assign responsibility for the risk management plan

44
2.6.2 Risk Management Process
  • Identification and classification of information
    resources or assets that need protection
  • Assess threats and vulnerabilities and the
    likelihood of their occurrence
  • Once the elements of risk have been established
    they are combined to form an overall view of risk

45
2.6.2 Risk Management Process
  • Once risks have been identified, existing
    controls can be evaluated or new controls
    designed to reduce the vulnerabilities to an
    acceptable level of risk
  • The remaining level of risk, once controls have
    been applied, is called residual risk and can be
    used by management to identify those areas in
    which more control is required to further reduce
    risk

46
2.6.2 Risk Management Process (continued)
  • IT risk management needs to operate at
  • multiple levels including
  • OperationalRisks that could compromise the
    effectiveness of IT systems and supporting
    infrastructure
  • ProjectRisk management needs to focus on the
    ability to understand and manage project
    complexity
  • StrategicThe risk focus shifts to considerations
    such as how well the IT capability is aligned
    with the business strategy

47
2.6.3 Risk Analysis Methods
  • Qualitative
  • Semiquantitative
  • Quantitative
  • Probability and expectancy
  • Annual loss expectancy method

48
2.6.3 Risk Analysis Methods (continued)
  • Management and IS auditors should keep in
  • mind certain considerations
  • Risk management should be applied to IT functions
    throughout the company
  • Senior management responsibility
  • Quantitative RM is preferred over qualitative
    approaches
  • Quantitative RM always faces the challenge of
    estimating risks
  • Quantitative RM provides more objective
    assumptions
  • The real complexity or the apparent
    sophistication of the methods or packages used
    should not be a substitute for commonsense or
    professional diligence
  • Special care should be given to very high impact
    events, even if the probability of occurrence
    over time is very low.

49
2.7.1 Personnel Management
  • Hiring
  • Employee handbook
  • Promotion policies
  • Training
  • Scheduling and time reporting
  • Employee performance evaluations
  • Required vacations
  • Termination policies

50
2.7.2 Sourcing Practices
  • Sourcing practices relate to the way an
    organization obtains the IS function required to
    support the business
  • Organizations can perform all IS functions
    in-house or outsource all functions across the
    globe
  • Sourcing strategy should consider each IS
    function and determine which approach allows the
    IS function to meet the organizations goals

51
2.7.2 Sourcing Practices (continued)
  • Outsourcing Practices and Strategies
  • Contractual agreements under which an
    organization hands over control of part or all of
    the functions of the IS department to an external
    party
  • Becoming increasingly important in many
    organizations
  • The IS auditor must be aware of the various forms
    outsourcing can take as well as the associated
    risks

52
2.7.2 Sourcing Practices (continued)
  • Possible advantages
  • Commercial outsourcing companies likely to devote
    more time and focus more efficiently on a given
    project than in-house staff
  • Outsourcing vendors likely to have more
    experience with a wider array of problems, issues
    and techniques
  • Possible disadvantages
  • Costs exceeding customer expectations
  • Loss of internal IS experience
  • Loss of control over IS
  • Vendor failure

53
2.7.2 Sourcing Practices (continued)
  • Risks can be reduced by
  • Establishing measurable, partnership-enacted
    shared goals and rewards
  • Using multiple suppliers or withholding a piece
    of business as an incentive
  • Performing periodic competitive reviews and
    benchmarking/benchtrending
  • Implementing short-term contracts
  • Forming a cross-functional contract management
    team
  • Including contractual provisions to consider as
    many contingencies as can reasonably be foreseen

54
2.7.2 Sourcing Practices (continued)
  • Globalization Practices and Strategies
  • Requires management to actively oversee the
    remote or offshore locations
  • The IS auditor can assist an organization in
    moving IS functions offsite or offshore by
    ensuring that IS management considers the
    following
  • Legal, regulatory and tax issues
  • Continuity of operations
  • Personnel
  • Telecommunication issues
  • Cross-border and cross-cultural issues

55
2.7.2 Sourcing Practices (continued)
  • Governance in Outsourcing
  • Mechanism that allows organizations to transfer
    the delivery of services to third parties
  • Accountability remains with the management of the
    client organization
  • Transparency and ownership of the decision-making
    process must reside within the purview of the
    client

56
2.7.2 Sourcing Practices (continued)
  • Third-party Service Delivery Management
  • Every organization using the services of third
    parties should have a service delivery management
    system in place to implement and maintain the
    appropriate level of information security and
    service delivery in line with third-party service
    delivery agreements
  • The organization should check the implementation
    of agreements, monitor compliance with the
    agreements and manage changes to ensure that the
    services delivered meet all requirements agreed
    to with the third party.

57
2.7.3 OrganizationalChange Management
  • Change management is managing IT changes for the
    organization, where a defined and documented
    process exists to identify and apply technology
    improvements at the infrastructure and
    application level that are beneficial to the
    organization and involving all levels of the
    organization impacted by the changes.

58
2.7.5 Quality Management
  • Software development, maintenance and
    implementation
  • Acquisition of hardware and software
  • Day-to-day operations
  • Service management
  • Security
  • Human resource management
  • General administration

59
Practice Question
2-4 The MOST important responsibility of a data
security officer in an organization is A.
recommending and monitoring data security
policies. B. promoting security awareness within
the organization. C. establishing procedures for
IT security policies. D. administering physical
and logical access controls.
60
Practice Question
2-5 Which of the following is MOST likely to be
performed by the security administrator? A.
Approving the security policy B. Testing
application software C. Ensuring data
integrity D. Maintaining access rules
61
2.7.7 Performance Optimization
  • Process driven by performance indicators
  • Optimization refers to the process of improving
    the productivity of information systems to the
    highest level possible without unnecessary,
    additional investment in the IT infrastructure

62
2.7.7 Performance Optimization (continued)
  • Five ways to use performance measures
  • Measure products/services
  • Manage products/services
  • Assure accountability
  • Make budget decisions
  • Optimize performance

63
Practice Question
2-6 An IS auditor should ensure that IT
governance performance measures A. evaluate the
activities of IT oversight committees. B. provide
strategic IT drivers. C. adhere to regulatory
reporting standards and definitions. D. evaluate
the IT department.
64
2.8 IS Organizational Structure and
Responsibilities
65
2.8.1 IS Roles and Responsibilities
  • Systems development manager
  • Help desk
  • End user
  • End user support manager

66
2.8.1 IS Roles and Responsibilities (continued)
  • Data management
  • Quality assurance manager
  • Vendor and outsourcer management
  • Operations manager

67
2.8.1 IS Roles and Responsibilities (continued)
  • Control group
  • Media management
  • Data entry
  • Systems administration

68
2.8.1 IS Roles and Responsibilities (continued)
  • Security administration
  • Quality assurance
  • Database administration

69
2.8.1 IS Roles and Responsibilities (continued)
  • Systems analyst
  • Security architect
  • Applications development and maintenance
  • Infrastructure development and maintenance
  • Network management

70
2.8.2 Segregation of Duties Within IS
  • Avoids possibility of errors or misappropriations
  • Discourages fraudulent acts
  • Limits access to data

71
2.8.2 Segregation of DutiesWithin IS (continued)
72
Practice Question
2-7 Which of the following tasks may be performed
by the same person in a well-controlled
information processing computer center? A.
Security administration and change management B.
Computer operations and system development C.
System development and change management D.
System development and systems maintenance
73
Practice Question
2-8 Which of the following is the MOST critical
control over database administration? A.
Approval of DBA activities B. Segregation of
duties C. Review of access logs and
activities D. Review of the use of database tools
74
2.8.3 Segregation of Duties Controls
  • Control measures to enforce segregation of duties
    include
  • Transaction authorization
  • Custody of assets
  • Access to data
  • Authorization forms
  • User authorization tables

75
2.8.3 Segregation of DutiesControls (continued)
  • Compensating controls for lack of segregation of
    duties include
  • Audit trails
  • Reconciliation
  • Exception reporting
  • Transaction logs
  • Supervisory reviews
  • Independent reviews

76
Practice Question
2-9 When a complete segregation of duties cannot
be achieved in an online system environment,
which of the following functions should be
separated from the others? A. Origination B.
Authorization C. Recording D. Correction
77
Practice Question
2-10 In a small organization, where segregation
of duties is not practical, an employee performs
the function of computer operator and application
programmer. Which of the following controls
should an IS auditor recommend? A. Automated
logging of changes to development libraries B.
Additional staff to provide segregation of
duties C. Procedures that verify that only
approved program changes are implemented D.
Access controls to prevent the operator from
making program modifications
78
2.9 Auditing IT GovernanceStructure and
Implementation
  • Indicators of potential problems include
  • Unfavorable end-user attitudes
  • Excessive costs
  • Budget overruns
  • Late projects
  • High staff turnover
  • Inexperienced staff
  • Frequent hardware/software errors

79
2.9.1 Reviewing Documentation
  • The following documents should be reviewed
  • IT strategies, plans and budgets
  • Security policy documentation
  • Organization/functional charts
  • Job descriptions
  • Steering committee reports
  • System development and program change procedures
  • Operations procedures
  • Human resource manuals
  • Quality assurance procedures

80
2.9.2 Reviewing Contractual Commitments
  • There are various phases to computer hardware,
  • software and IS service contracts, including
  • Development of contract requirements and service
    levels
  • Contract bidding process
  • Contract selection process
  • Contract acceptance
  • Contract maintenance
  • Contract compliance
Write a Comment
User Comments (0)
About PowerShow.com