ISACA

1
ISACA
The recognized global leader in IT
governance, control, security and assurance
2
Chapter 2IT Governance
2008 CISA? Review Course
3
Chapter Outline
2.1 Introduction 2.2 Corporate
governance 2.3 Monitoring and assurance
practices for board and executive management 2.4
Information systems strategy 2.5 Policies
and procedures 2.6 Risk management 2.7 IS
management practices 2.8 IS organizational
structure and responsibilities 2.9 Auditing IT
governance structure and implementation 2.10
Case study
4
2.1.1 Course Objectives

• Review outline of chapter
• Discuss Task and Knowledge Statements
• Discuss specific topics within the chapter
• Case studies
• Sample questions

5
Exam Relevance
Ensure that the CISA candidate Understands
and can provide assurance that the organization
has the structure, policies, accountability
mechanisms and monitoring practices in place to
achieve the requirements of corporate governance
of IT. The content area in this
chapter will represent approximately 15
of the CISA examination (approximately
30 questions).
6
2.1.2 Chapter 2 Task Statements
T2.1 Evaluate the effectiveness of IT governance
structure to ensure adequate board control over
the decisions, directions and performance of IT,
so it supports the organizations strategies and
objectives. T2.2 Evaluate IT organizational
structure and human resources (personnel)
management to ensure that they support the
organizations strategies and objectives. T2.3
Evaluate the IT strategy and process for their
development, approval, implementation and
maintenance to ensure that they support the
organizations strategies and objectives.
7
2.1.2 Chapter 2 Task Statements (continued)
T2.4 Evaluate the organizations IT policies,
standards, procedures and processes for their
development, approval, implementation and
maintenance to ensure that they support the IT
strategy and comply with regulatory and legal
requirements. T2.5 Evaluate management practices
to ensure compliance with the organizations IT
strategy, policies, standards and procedures.
T2.6 Evaluate IT resource investment, use and
allocation practices to ensure alignment with the
organizations strategies and objectives.
8
2.1.2 Chapter 2 Task Statements (continued)
T2.7 Evaluate IT contracting strategies and
policies and contract management practices to
ensure that they support the organizations
strategies and objectives. T2.8 Evaluate risk
management practices to ensure that the
organizations IT-related risks are properly
managed. T2.9 Evaluate monitoring and assurance
practices to ensure that the board and executive
management receive sufficient and timely
information about IT performance.
9
2.1.3 Chapter 2 Knowledge Statements
KS2.1 Knowledge of the purpose of IT strategies,
policies, standards and procedures for an
organization and the essential elements of each
KS2.2 Knowledge of IT governance
frameworks KS2.3 Knowledge of the processes for
the development, implementation and maintenance
of IT strategies, policies, standards and
procedures (e.g., protection of information
assets, business continuity and disaster
recovery, systems and infrastructure life cycle
management, and IT service delivery and support)
10
2.1.3 Chapter 2 Knowledge Statements (continued)
KS2.4 Knowledge of quality management strategies
and policies KS2.5 Knowledge of organizational
structure, roles and responsibilities related to
the use and management of IT KS2.6 Knowledge of
generally accepted international IT standards and
guidelines KS2.7 Knowledge of enterprise IT
architecture and its implications for setting
long-term strategic decisions
11
2.1.3 Chapter 2 Knowledge Statements (continued)
KS2.8 Knowledge of risk management methodologies
and tools KS2.9 Knowledge of the use of control
frameworks (e.g., COBIT, COSO, ISO
17799) KS2.10 Knowledge of the use of maturity
and process improvement models (e.g., Capability
Maturity Model CMM, COBIT) KS2.11 Knowledge of
contracting strategies, processes and contract
management practices KS2.12 Knowledge of
practices for monitoring and reporting of IT
performance (e.g., balanced scorecards, key
performance indicators KPIs)
12
2.1.3 Chapter 2 Knowledge Statements (continued)
KS2.13 Knowledge of relevant legislative and
regulatory issues (e.g., privacy, intellectual
property, corporate governance requirements)
KS2.14 Knowledge of IT human resources
(personnel) management KS2.15 Knowledge of IT
resource investment and allocation practices
(e.g., portfolio management, return on
investment ROI)
13
2.2 Corporate Governance

• Ethical corporate behavior by directors or others
  charged with governance in the creation and
  presentation of wealth for all stakeholders
• The distribution of rights and responsibilities
  among different participants in the corporation,
  such as board, managers, shareholders and other
  stakeholders
• Establishment of rules to manage and report on
  business risks

14
2.3 Monitoring and AssurancePractices for Board
and Executive Management

• Enterprises are governed by generally accepted
  good or best practices, the assurance of which is
  provided by certain controls. From these
  practices flows the organizations direction,
  which indicates certain activities using the
  organizations resources. The results of these
  activities are measured and reported on,
  providing input to the cyclical revision and
  maintenance of controls.
• IT is also governed by good or best practices
  that ensure that the organizations information
  and related technology support its business
  objectives, its resources are used responsibly,
  and its risks are managed appropriately.

15
2.3 Monitoring and AssurancePractices for Board
and Executive Management (continued)

• Effective enterprise governance focuses
  individual and group expertise and experience on
  specific areas where they can be most effective
• IT governance is concerned with two issues that
  IT delivers value to the business and that IT
  risks are managed
• IT governance is the responsibility of the board
  of directors and executive management

16
Practice Question
2-1 IT governance ensures that an organization
aligns its IT strategy with A. enterprise
objectives. B. IT objectives. C. audit
objectives. D. control objectives.
17
2.3.1 Best Practices for IT Governance

• IT governance is a structure of relationships

18
2.3.1 Best Practices for IT Governance (continued)

• Audit Role in IT Governance
• Audit plays a significant role in the successful
  implementation of IT governance within an
  organization
• Reporting on IT governance involves auditing at
  the highest level in the organization and may
  cross division, functional or departmental
  boundaries

19
2.3.1 Best Practices for IT Governance (continued)

• The organizational status and skill sets of the
  IS auditor should be considered for
  appropriateness with regard to the nature of the
  planned audit.
• In accordance with the defined role of the IS
  auditor, the following aspects related to IT
  governance need to be assessed
• The IS functions alignment with the
  organizations mission, vision, values,
  objectives and strategies
• The IS functions achievement of performance
  objectives established by the business
  (effectiveness and efficiency)
• Legal, environmental, information quality, and
  fiduciary and security requirements
• The control environment of the organization
• The inherent risks within the IS environment

20
2.3.2 IT Strategy Committee

• The creation of an IT strategy committee is an
  industry best practice
• Committee should broaden its scope to include not
  only advice on strategy when assisting the board
  in its IT governance responsibilities, but also
  to focus on IT value, risks and performance

21
2.3.3 Standard IT Balanced Scorecard

• A process management evaluation technique that
  can be applied to the IT governance process in
  assessing IT functions and processes
• Method goes beyond the traditional financial
  evaluation
• One of the most effective means to aid the IT
  strategy committee and management in achieving IT
  and business alignment

22
2.3.4 Information Security Governance

• Focused activity with specific value drivers
• Integrity of information
• Continuity of services
• Protection of information assets
• Integral part of IT governance

23
2.3.4 Information Security Governance (continued)

• Importance of Information Security Governance
• Information security (Infosec) covers all
  information processes, physical and electronic,
  regardless of whether they involve people and
  technology or relationships with trading
  partners, customers and third parties.
  Information security is concerned with all
  aspects of information and its protection at all
  points of its life cycle within the organization.

24
2.3.4 Information Security Governance (continued)

• Effective information security can add
  significant value to an organization by
• Providing greater reliance on interactions with
  trading partners
• Improving trust in customer relationships
• Protecting the organizations reputation
• Enabling new and better ways to process
  electronic transactions

25
2.3.4 Information Security Governance (continued)

• Outcomes of Security Governance
• Strategic alignmentalign with business strategy
• Risk managementmanage and execute appropriate
  measures to mitigate risks
• Value deliveryoptimize security investments
• Resource managementutilize information security
  knowledge and infrastructure efficiently and
  effectively
• Performance measurementmeasure, monitor and
  report on information security processes to
  ensure objectives are achieved

26
2.3.4 Information SecurityGovernance (continued)

• Effective Information Security Governance
• To achieve effective information security
  governance, management must establish and
  maintain a framework to guide the development and
  management of a comprehensive information
  security program that supports business
  objectives
• This framework provides the basis for the
  development of a cost-effective information
  security program that supports the organizations
  business goals.

27
2.3.4 Information SecurityGovernance (continued)

• Information security governance requires
• strategic direction and impetus from
• Boards of directors / senior management
• Executive management
• Steering committees
• Chief information security officers

28
2.3.5 Enterprise Architecture

• Involves documenting an organizations IT assets
  in a structured manner to facilitate
  understanding, management and planning for IT
  investments
• Often involves both a current state and optimized
  future state representation

29
2.3.5 Enterprise Architecture (continued)

• The Basic Zachman Framework

30
2.3.5 EnterpriseArchitecture (continued)

• The Federal Enterprise Architecture (FEA)
  hierarchy
• Performance
• Business
• Service component
• Technical
• Data

31
2.4.1 Strategic Planning

• From an IS standpoint, strategic planning relates
  to the long-term direction an organization wants
  to take in leveraging information technology for
  improving its business processes
• Effective IT strategic planning involves a
  consideration of the organizations demand for IT
  and its IT supply capacity

32
2.4.1 Strategic Planning(continued)

• The IS auditor should pay attention to the
  importance of IT strategic planning
• Focus on the importance of a strategic planning
  process or planning framework
• Consider how the CIO or senior IT management are
  involved in the creation of the overall business
  strategy

33
Practice Question
2-2 Which of the following would be included in
an IS strategic plan? A. Specifications for
planned hardware purchases B. Analysis of future
business objectives C. Target dates for
development projects D. Annual budgetary targets
for the IS department
34
Practice Question
2-3 Which of the following BEST describes an IT
departments strategic planning process? A. The
IT department will have either short-range or
long-range plans depending on the organizations
broader plans and objectives. B. The IT
departments strategic plan must be time- and
project-oriented, but not so detailed as to
address and help determine priorities to meet
business needs. C. Long-range planning for the IT
department should recognize organizational goals,
technological advances and regulatory
requirements. D. Short-range planning for the IT
department does not need to be integrated into
the short-range plans of the organization since
technological advances will drive the IT
department plans much quicker than organizational
plans.
35
2.4.2 Steering Committee

• An organizations senior management should
  appoint a planning or steering committee to
  oversee the IS function and its activities
• A high-level steering committee for information
  technology is an important factor in ensuring
  that the IS department is in harmony with the
  corporate mission and objectives

36
2.5.1 Policies

• High-level documents
• Represent the corporate philosophy of an
  organization
• Must be clear and concise to be effective

37
2.5.1 Policies (continued)

• Management should review all policies carefully
• Policies need to be updated to reflect new
  technology and significant changes in business
  processes
• Policies formulated must enable achievement of
  business objectives and implementation of IS
  controls

38
2.5.1 Policies (continued)

• Information Security Policies
• Communicate a coherent security standard to
  users, management and technical staff
• Must balance the level of control with the level
  of productivity
• Provide management the direction and support for
  information security in accordance with business
  requirements, relevant laws and regulations

39
2.5.1 Policies (continued)

• Information Security Policy Document
• Definition of information security
• Statement of management intent
• Framework for setting control objectives
• Brief explanation of security policies
• Definition of responsibilities
• References to documentation

40
2.5.1 Policies (continued)

• Review of the Information Security Policy
  Document
• Should be reviewed at planned intervals or when
  significant changes occur to ensure its
  continuing suitability, adequacy and
  effectiveness
• Should have an owner who has approved management
  responsibility for the development, review and
  evaluation of the security policy
• Review should include assessing opportunities for
  improvement to the organizations information
  security policy

41
2.5.2 Procedures

• Detailed documents
• Must be derived from the parent policy
• Must implement the spirit (intent) of the policy
  statement
• Procedures must be written in a clear and concise
  manner
• An independent review is necessary to ensure that
  policies and procedures have been properly
  documented, understood and implemented

42
2.6 Risk Management

• The process of identifying vulnerabilities and
  threats to the information resources used by an
  organization in achieving business objectives

43
2.6.1 Developing a Risk Management Program

• To develop a risk management program
• Establish the purpose of the risk management
  program
• Assign responsibility for the risk management plan

44
2.6.2 Risk Management Process

• Identification and classification of information
  resources or assets that need protection
• Assess threats and vulnerabilities and the
  likelihood of their occurrence
• Once the elements of risk have been established
  they are combined to form an overall view of risk

45
2.6.2 Risk Management Process

• Once risks have been identified, existing
  controls can be evaluated or new controls
  designed to reduce the vulnerabilities to an
  acceptable level of risk
• The remaining level of risk, once controls have
  been applied, is called residual risk and can be
  used by management to identify those areas in
  which more control is required to further reduce
  risk

46
2.6.2 Risk Management Process (continued)

• IT risk management needs to operate at
• multiple levels including
• OperationalRisks that could compromise the
  effectiveness of IT systems and supporting
  infrastructure
• ProjectRisk management needs to focus on the
  ability to understand and manage project
  complexity
• StrategicThe risk focus shifts to considerations
  such as how well the IT capability is aligned
  with the business strategy

47
2.6.3 Risk Analysis Methods

• Qualitative
• Semiquantitative
• Quantitative
• Probability and expectancy
• Annual loss expectancy method

48
2.6.3 Risk Analysis Methods (continued)

• Management and IS auditors should keep in
• mind certain considerations
• Risk management should be applied to IT functions
  throughout the company
• Senior management responsibility
• Quantitative RM is preferred over qualitative
  approaches
• Quantitative RM always faces the challenge of
  estimating risks
• Quantitative RM provides more objective
  assumptions
• The real complexity or the apparent
  sophistication of the methods or packages used
  should not be a substitute for commonsense or
  professional diligence
• Special care should be given to very high impact
  events, even if the probability of occurrence
  over time is very low.

49
2.7.1 Personnel Management

• Hiring
• Employee handbook
• Promotion policies
• Training
• Scheduling and time reporting
• Employee performance evaluations
• Required vacations
• Termination policies

50
2.7.2 Sourcing Practices

• Sourcing practices relate to the way an
  organization obtains the IS function required to
  support the business
• Organizations can perform all IS functions
  in-house or outsource all functions across the
  globe
• Sourcing strategy should consider each IS
  function and determine which approach allows the
  IS function to meet the organizations goals

51
2.7.2 Sourcing Practices (continued)

• Outsourcing Practices and Strategies
• Contractual agreements under which an
  organization hands over control of part or all of
  the functions of the IS department to an external
  party
• Becoming increasingly important in many
  organizations
• The IS auditor must be aware of the various forms
  outsourcing can take as well as the associated
  risks

52
2.7.2 Sourcing Practices (continued)

• Possible advantages
• Commercial outsourcing companies likely to devote
  more time and focus more efficiently on a given
  project than in-house staff
• Outsourcing vendors likely to have more
  experience with a wider array of problems, issues
  and techniques
• Possible disadvantages
• Costs exceeding customer expectations
• Loss of internal IS experience
• Loss of control over IS
• Vendor failure

53
2.7.2 Sourcing Practices (continued)

• Risks can be reduced by
• Establishing measurable, partnership-enacted
  shared goals and rewards
• Using multiple suppliers or withholding a piece
  of business as an incentive
• Performing periodic competitive reviews and
  benchmarking/benchtrending
• Implementing short-term contracts
• Forming a cross-functional contract management
  team
• Including contractual provisions to consider as
  many contingencies as can reasonably be foreseen

54
2.7.2 Sourcing Practices (continued)

• Globalization Practices and Strategies
• Requires management to actively oversee the
  remote or offshore locations
• The IS auditor can assist an organization in
  moving IS functions offsite or offshore by
  ensuring that IS management considers the
  following
• Legal, regulatory and tax issues
• Continuity of operations
• Personnel
• Telecommunication issues
• Cross-border and cross-cultural issues

55
2.7.2 Sourcing Practices (continued)

• Governance in Outsourcing
• Mechanism that allows organizations to transfer
  the delivery of services to third parties
• Accountability remains with the management of the
  client organization
• Transparency and ownership of the decision-making
  process must reside within the purview of the
  client

56
2.7.2 Sourcing Practices (continued)

• Third-party Service Delivery Management
• Every organization using the services of third
  parties should have a service delivery management
  system in place to implement and maintain the
  appropriate level of information security and
  service delivery in line with third-party service
  delivery agreements
• The organization should check the implementation
  of agreements, monitor compliance with the
  agreements and manage changes to ensure that the
  services delivered meet all requirements agreed
  to with the third party.

57
2.7.3 OrganizationalChange Management

• Change management is managing IT changes for the
  organization, where a defined and documented
  process exists to identify and apply technology
  improvements at the infrastructure and
  application level that are beneficial to the
  organization and involving all levels of the
  organization impacted by the changes.

58
2.7.5 Quality Management

• Software development, maintenance and
  implementation
• Acquisition of hardware and software
• Day-to-day operations
• Service management
• Security
• Human resource management
• General administration

59
Practice Question
2-4 The MOST important responsibility of a data
security officer in an organization is A.
recommending and monitoring data security
policies. B. promoting security awareness within
the organization. C. establishing procedures for
IT security policies. D. administering physical
and logical access controls.
60
Practice Question
2-5 Which of the following is MOST likely to be
performed by the security administrator? A.
Approving the security policy B. Testing
application software C. Ensuring data
integrity D. Maintaining access rules
61
2.7.7 Performance Optimization

• Process driven by performance indicators
• Optimization refers to the process of improving
  the productivity of information systems to the
  highest level possible without unnecessary,
  additional investment in the IT infrastructure

62
2.7.7 Performance Optimization (continued)

• Five ways to use performance measures
• Measure products/services
• Manage products/services
• Assure accountability
• Make budget decisions
• Optimize performance

63
Practice Question
2-6 An IS auditor should ensure that IT
governance performance measures A. evaluate the
activities of IT oversight committees. B. provide
strategic IT drivers. C. adhere to regulatory
reporting standards and definitions. D. evaluate
the IT department.
64
2.8 IS Organizational Structure and
Responsibilities
65
2.8.1 IS Roles and Responsibilities

• Systems development manager
• Help desk
• End user
• End user support manager

66
2.8.1 IS Roles and Responsibilities (continued)

• Data management
• Quality assurance manager
• Vendor and outsourcer management
• Operations manager

67
2.8.1 IS Roles and Responsibilities (continued)

• Control group
• Media management
• Data entry
• Systems administration

68
2.8.1 IS Roles and Responsibilities (continued)

• Security administration
• Quality assurance
• Database administration

69
2.8.1 IS Roles and Responsibilities (continued)

• Systems analyst
• Security architect
• Applications development and maintenance
• Infrastructure development and maintenance
• Network management

70
2.8.2 Segregation of Duties Within IS

• Avoids possibility of errors or misappropriations
• Discourages fraudulent acts
• Limits access to data

71
2.8.2 Segregation of DutiesWithin IS (continued)
72
Practice Question
2-7 Which of the following tasks may be performed
by the same person in a well-controlled
information processing computer center? A.
Security administration and change management B.
Computer operations and system development C.
System development and change management D.
System development and systems maintenance
73
Practice Question
2-8 Which of the following is the MOST critical
control over database administration? A.
Approval of DBA activities B. Segregation of
duties C. Review of access logs and
activities D. Review of the use of database tools
74
2.8.3 Segregation of Duties Controls

• Control measures to enforce segregation of duties
  include
• Transaction authorization
• Custody of assets
• Access to data
• Authorization forms
• User authorization tables

75
2.8.3 Segregation of DutiesControls (continued)

• Compensating controls for lack of segregation of
  duties include
• Audit trails
• Reconciliation
• Exception reporting
• Transaction logs
• Supervisory reviews
• Independent reviews

76
Practice Question
2-9 When a complete segregation of duties cannot
be achieved in an online system environment,
which of the following functions should be
separated from the others? A. Origination B.
Authorization C. Recording D. Correction
77
Practice Question
2-10 In a small organization, where segregation
of duties is not practical, an employee performs
the function of computer operator and application
programmer. Which of the following controls
should an IS auditor recommend? A. Automated
logging of changes to development libraries B.
Additional staff to provide segregation of
duties C. Procedures that verify that only
approved program changes are implemented D.
Access controls to prevent the operator from
making program modifications
78
2.9 Auditing IT GovernanceStructure and
Implementation

• Indicators of potential problems include
• Unfavorable end-user attitudes
• Excessive costs
• Budget overruns
• Late projects
• High staff turnover
• Inexperienced staff
• Frequent hardware/software errors

79
2.9.1 Reviewing Documentation

• The following documents should be reviewed
• IT strategies, plans and budgets
• Security policy documentation
• Organization/functional charts
• Job descriptions
• Steering committee reports
• System development and program change procedures
• Operations procedures
• Human resource manuals
• Quality assurance procedures

80
2.9.2 Reviewing Contractual Commitments

• There are various phases to computer hardware,
• software and IS service contracts, including
• Development of contract requirements and service
  levels
• Contract bidding process
• Contract selection process
• Contract acceptance
• Contract maintenance
• Contract compliance