0
2007 CISA   Review Course Chapter 2 IT Governance
Chapter Overview <ul><li>Corporate Governance </li></ul><ul><li>IT Governance </li></ul><ul><li>Information Systems Strate...
Chapter Objective <ul><li>Ensure that the CISA candidate… </li></ul><ul><li>“ understands and can provide assurance  </li>...
Chapter Summary <ul><li>According to the CISA Certification  Board, this Content Area will represent approximately 15% of ...
2.1  Corporate Governance <ul><ul><li>Ethical corporate behavior by directors or others charged with governance in the cre...
Corporate Governance <ul><li>Corporate governance is a set of responsibilities and practices used by an organization’s man...
Corporate Governance <ul><li>ITGI Best Practices for Corporate Governance </li></ul><ul><li>IT governance is the responsib...
2.2  Monitoring and Assurance Practices for   Board  a nd Executive Management <ul><li>IT Governance encompasses: </li></u...
<ul><li>IT governance ensures that an organization aligns its IT strategy with: </li></ul><ul><li>A. enterprise objectives...
<ul><li>An IS auditor should ensure that IT governance performance measures,: </li></ul><ul><li>A. evaluate the activities...
Monitoring and Assurance Practices for Board  and E xecutive Management <ul><li>IT governance is a structure of relationsh...
Monitoring and Assurance Practices for   Board  a nd Executive Management <ul><li>Audit Role in IT Governance: </li></ul><...
Monitoring and Assurance Practices for Board and Executive Management <ul><li>IT Strategy committee </li></ul><ul><li>Is a...
Monitoring and Assurance Practices for Board  and Executive Management <ul><li>Risk Management </li></ul><ul><li>Dependent...
Monitoring and Assurance Practices for Board  and Executive Management <ul><li>Standard IT Balanced Score Card: </li></ul>...
Monitoring and Assurance Practices for Board  and Executive Management <ul><li>Standard IT Balanced Score Card </li></ul><...
Monitoring and Assurance Practices for Board  and Executive Management <ul><li>Standard IT Balanced Score Card </li></ul><...
Monitoring and Assurance Practices for Board and Executive Management <ul><li>Standard IT Balanced Score Card </li></ul><u...
Monitoring and Assurance Practices for Board and Executive Management <ul><li>Information Security Governance </li></ul><u...
Monitoring and Assurance Practices for Board and Executive Management <ul><li>Importance of  Information Security Governan...
Monitoring and Assurance Practices for Board and Executive Management <ul><li>Importance of  Information Security Governan...
Monitoring and Assurance Practices for Board and Executive Management <ul><li>Outcomes of  Security Governance </li></ul><...
Monitoring and Assurance Practices for Board and Executive Management <ul><li>Effective Information Security Governance </...
Monitoring and Assurance Practices for Board and Executive Management <ul><li>Information Security Governance – roles and ...
Monitoring and Assurance Practices for Board and Executive Management <ul><li>Enterprise Architecture </li></ul><ul><li>In...
Monitoring and Assurance Practices for Board and Executive Management <ul><li>Enterprise Architecture </li></ul><ul><li>Ba...
Monitoring and Assurance Practices for Board and Executive Management <ul><li>Enterprise Architecture </li></ul><ul><li>Th...
2.3  Information Systems Strategy <ul><li>Strategic Planning </li></ul><ul><li>From an information systems standpoint it r...
Information Systems Strategy <ul><li>Steering Committee(s) </li></ul><ul><li>The organization’s senior management should a...
Information Systems Strategy <ul><li>Planning / Steering Committee </li></ul><ul><ul><li>Review Board for major IS project...
<ul><li>Which of the following would be included in an IS strategic plan? </li></ul><ul><li>A. Specifications for planned ...
<ul><li>Which of the following BEST describes an IT department’s strategic planning process? </li></ul><ul><li>A. The IT d...
2.4  Policies and Procedures <ul><li>Policies </li></ul><ul><ul><li>High level </li></ul></ul><ul><ul><li>Low level </li><...
Policies and Procedures <ul><li>Policies </li></ul><ul><li>Policies  are  high-level  documents. They represent the corpor...
Policies and Procedures <ul><li>Information Security Policy   </li></ul><ul><li>Information security policy provides manag...
Policies and Procedures <ul><li>Information Security Policy Document </li></ul><ul><li>Definition of information security ...
Policies and Procedures <ul><li>Review of Information Security Policy   </li></ul><ul><li>Input of management review </li>...
Policies and Procedures <ul><li>Review of Information Security Policy   </li></ul><ul><li>Output from management review </...
Policies and Procedures <ul><li>Procedures   </li></ul><ul><li>Procedures are detailed documents. They must be derived fro...
2.5  Risk Management <ul><li>The process of identifying vulnerabilities and threats to the information resources used by a...
Risk Management <ul><li>Developing a Risk Management Program </li></ul><ul><ul><li>Establish the purpose of the risk manag...
Risk Management <ul><li>Risk Management Process </li></ul><ul><ul><li>Identification and classification of information res...
Risk Management <ul><li>IT risk management needs to operate at multiple levels including: </li></ul><ul><li>Operation : ri...
<ul><li>Risk Analysis Methods : </li></ul><ul><li>Qualitative and Quantitative </li></ul><ul><ul><li>Are the simplest and ...
<ul><li>Management and IS auditors should keep in mind certain considerations: </li></ul><ul><li>Should be applied to IT f...
<ul><li>Personnel Management </li></ul><ul><ul><li>Hiring practices </li></ul></ul><ul><ul><li>Employee handbook </li></ul...
<ul><li>Personnel Management </li></ul><ul><ul><li>Scheduling and time reporting </li></ul></ul><ul><ul><li>Employee perfo...
<ul><li>Outsourcing Practices (Service Level Agreements) </li></ul><ul><ul><li>Reasons for embarking on outsourcing </li><...
<ul><li>Strategies in Audit of Outsourcing </li></ul><ul><ul><li>Third Party Audit Report </li></ul></ul><ul><ul><li>Perio...
<ul><ul><li>Capacity and growth planning </li></ul></ul><ul><li>Given the strategic importance of IT in companies and the ...
<ul><ul><li>Third-party Service Delivery Management </li></ul></ul><ul><ul><li>Service delivery </li></ul></ul><ul><ul><li...
<ul><ul><li>Organizational Change management </li></ul></ul><ul><li>Change management is managing IT changes for the organ...
<ul><ul><li>Financial Management Practices </li></ul></ul><ul><li>Financial management is a critical element of all busine...
<ul><li>Quality Management </li></ul><ul><ul><li>Software development, maintenance and implementation </li></ul></ul><ul><...
<ul><li>Standards to Assist the Organization </li></ul><ul><ul><li>ISO standard interpretation </li></ul></ul><ul><ul><li>...
<ul><li>Information Security Management   </li></ul><ul><li>Performance Optimization </li></ul><ul><li>The broad phases of...
2.7  IS Organizational Structure and  r esponsibilities
<ul><li>IS Roles & Responsibilities </li></ul><ul><ul><ul><li>Systems Development Manager </li></ul></ul></ul><ul><ul><ul>...
<ul><li>IS Roles & Responsibilities </li></ul><ul><ul><li>Control group </li></ul></ul><ul><ul><li>Media management </li><...
<ul><li>IS Roles & Responsibilities </li></ul><ul><ul><li>Systems analysis </li></ul></ul><ul><ul><li>Security Architect <...
<ul><li>Segregation of Duties  Within IS </li></ul><ul><ul><li>Avoids possibility of errors or misappropriations </li></ul...
IS Organizational Structure and Responsibilities
<ul><li>Which of the following tasks may be performed by the same person in a well-controlled information processing compu...
<ul><li>Which of the following is the MOST critical control over database administration? </li></ul><ul><li>A.  Approval o...
<ul><li>The  MOST  important responsibility of a data security officer in an organization is:  </li></ul><ul><li>A. recomm...
<ul><li>When a complete segregation of duties cannot be achieved in an online system environment, which of the following f...
<ul><li>In a small organization, where segregation of duties is not practical, an employee performs the function of comput...
<ul><li>Which of the following is  MOST  likely to be performed by the security administrator? </li></ul><ul><li>A. Approv...
<ul><li>Segregation of Duties Controls </li></ul><ul><ul><li>Transaction authorization </li></ul></ul><ul><ul><li>Custody ...
<ul><li>Compensating controls for Lack of Segregation of Duties </li></ul><ul><ul><li>Audit trails </li></ul></ul><ul><ul>...
<ul><li>Indicators of potential problems include:   </li></ul><ul><li>Unfavorable end-user attitudes </li></ul><ul><li>Exc...
<ul><li>Indicators of potential problems include (cont.): </li></ul><ul><li>Numerous aborted or suspended development proj...
<ul><li>Reviewing Documentation </li></ul><ul><li>Reviewing Contractual Commitments   </li></ul>Auditing IT Governance Str...
<ul><li>Reviewing Documentation </li></ul><ul><ul><li>IT strategies, plans and budgets </li></ul></ul><ul><ul><li>Security...
<ul><li>Reviewing  Contractual Commitments </li></ul><ul><ul><li>Development of contract requirements </li></ul></ul><ul><...
<ul><li>IS Auditor review draft of outsourcing contract and SLA and recommend changes prior ti thees being sent to senior ...
<ul><li>Which of the following should be of MOST concern to the IS auditor?   </li></ul><ul><li>A. User account changes ar...
<ul><li>Which of the following would be the  MOST  significant issue to address if the servers contain personally identifi...
Upcoming SlideShare
Loading in...5
×

Chap2 2007 Cisa Review Course

2,447

Published on

Transcript of "Chap2 2007 Cisa Review Course"

  1. 1. 2007 CISA  Review Course Chapter 2 IT Governance
  2. 2. Chapter Overview <ul><li>Corporate Governance </li></ul><ul><li>IT Governance </li></ul><ul><li>Information Systems Strategy </li></ul><ul><li>Policies and Procedures </li></ul><ul><li>Risk Management </li></ul><ul><li>Information Systems Management Practices </li></ul><ul><li>IS Organizational Structure and Responsibilities </li></ul><ul><li>Auditing the Management, Planning and Organization of IS </li></ul>
  3. 3. Chapter Objective <ul><li>Ensure that the CISA candidate… </li></ul><ul><li>“ understands and can provide assurance </li></ul><ul><li>that the organization has the structure, </li></ul><ul><li>policies, accountability mechanisms </li></ul><ul><li>and monitoring practices in place to </li></ul><ul><li>achieve the requirements of </li></ul><ul><li>corporate governance of IT.” </li></ul>
  4. 4. Chapter Summary <ul><li>According to the CISA Certification Board, this Content Area will represent approximately 15% of the CISA examination. (approximately 30 questions) </li></ul>
  5. 5. 2.1 Corporate Governance <ul><ul><li>Ethical corporate behavior by directors or others charged with governance in the creation and presentation for all stakeholders </li></ul></ul><ul><ul><li>Establishment of rules in managing and reporting business risks </li></ul></ul><ul><ul><li>IT governance </li></ul></ul>
  6. 6. Corporate Governance <ul><li>Corporate governance is a set of responsibilities and practices used by an organization’s management to provide strategic direction, thereby ensuring that goals are achievable, risks are properly addressed and organizational resources are properly utilized. </li></ul>
  7. 7. Corporate Governance <ul><li>ITGI Best Practices for Corporate Governance </li></ul><ul><li>IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategy and objectives </li></ul>
  8. 8. 2.2 Monitoring and Assurance Practices for Board a nd Executive Management <ul><li>IT Governance encompasses: </li></ul><ul><ul><ul><li>Information systems </li></ul></ul></ul><ul><ul><ul><li>Technology </li></ul></ul></ul><ul><ul><ul><li>Communication </li></ul></ul></ul><ul><li>IT Governance helps ensure the alignment of IT and enterprise objectives. </li></ul><ul><li>Fundamentally IT governance is concerned with two issues </li></ul><ul><ul><ul><li>IT delivers value to the business </li></ul></ul></ul><ul><ul><ul><ul><li>driven by strategic alignment of IT with the business </li></ul></ul></ul></ul><ul><ul><ul><li>IT risks are mitigated </li></ul></ul></ul><ul><ul><ul><ul><li>driven by embedding accountability into the enterprise </li></ul></ul></ul></ul><ul><li>IT Governance is the responsibility of the board of directors and executive management </li></ul>
  9. 9. <ul><li>IT governance ensures that an organization aligns its IT strategy with: </li></ul><ul><li>A. enterprise objectives. </li></ul><ul><li>B. IT objectives. </li></ul><ul><li>C. audit objectives. </li></ul><ul><li>D. control objectives. </li></ul>Chapter 2 Question
  10. 10. <ul><li>An IS auditor should ensure that IT governance performance measures,: </li></ul><ul><li>A. evaluate the activities of IT oversight committees. </li></ul><ul><li>B. provide strategic IT drivers. </li></ul><ul><li>C. adhere to regulatory reporting standards and definitions. </li></ul><ul><li>D. evaluate the IT department. </li></ul>Chapter 2 – Question 8
  11. 11. Monitoring and Assurance Practices for Board and E xecutive Management <ul><li>IT governance is a structure of relationships: </li></ul>IT Value Delivery Stakeholders Value Drivers Performance Measurement Risk Management Strategic Alignment
  12. 12. Monitoring and Assurance Practices for Board a nd Executive Management <ul><li>Audit Role in IT Governance: </li></ul><ul><li>Audit plays a significant role in a successful implementation of IT governance. Audit is best positioned to provide leading practice recommendations to help improve the quality and effectiveness of the IT governance initiatives implemented. </li></ul><ul><li>Audit helps ensure compliance with IT governance initiatives implemented within an organization. IT governance initiatives requires an independent and balanced view to ensure a qualitative assessment that subsequently facilitates the qualitative improvement of IT processes and associated IT governance initiatives. </li></ul>
  13. 13. Monitoring and Assurance Practices for Board and Executive Management <ul><li>IT Strategy committee </li></ul><ul><li>Is a mechanism for incorporating IT governance into enterprise governance </li></ul><ul><li>As a committee of the board, it assists the board on overseeing the enterprise’s IT related matters by ensuring that the board has the internal and external information IT requires for effective IT governance decision making </li></ul><ul><li>Organizations have had steering committees at an executive level to deal with IT issues that are relevant organizationwide. There should be a clear understanding of both the IT strategy and steering levels. The ITGI issued a document where a clear analysis is made between them. </li></ul>
  14. 14. Monitoring and Assurance Practices for Board and Executive Management <ul><li>Risk Management </li></ul><ul><li>Dependent on the type of risk and its significance to the business, management and the board may choose between: </li></ul><ul><ul><li>Mitigate </li></ul></ul><ul><ul><li>Transfer </li></ul></ul><ul><ul><li>Accept </li></ul></ul>
  15. 15. Monitoring and Assurance Practices for Board and Executive Management <ul><li>Standard IT Balanced Score Card: </li></ul><ul><li>Is a process management evaluative technique that can be applied to the IT business governance process in assesing IT functions and processes </li></ul>
  16. 16. Monitoring and Assurance Practices for Board and Executive Management <ul><li>Standard IT Balanced Score Card </li></ul><ul><li>To apply to IT, a three-layered structure is used in addressing the perspectives </li></ul><ul><li>Mission </li></ul><ul><li>– Become the preferred supplier of information systems. </li></ul><ul><li>– Deliver effective and efficient IT applications and services. </li></ul><ul><li>– Obtain a reasonable business contribution of IT investments. </li></ul><ul><li>– Develop opportunities to answer future challenges. </li></ul>
  17. 17. Monitoring and Assurance Practices for Board and Executive Management <ul><li>Standard IT Balanced Score Card </li></ul><ul><li>three-layered structure ( cont.) </li></ul><ul><li>Strategies </li></ul><ul><ul><li>Develop superior applications and operations. </li></ul></ul><ul><ul><li>Develop user partnerships and greater customer services. </li></ul></ul><ul><ul><li>Provide enhanced service levels and pricing structures. </li></ul></ul><ul><ul><li>Control IT expenses. </li></ul></ul><ul><ul><li>Provide business value to IT projects. </li></ul></ul><ul><ul><li>Provide new business capabilities. </li></ul></ul><ul><ul><li>Train and educate IT staff and promote excellence. </li></ul></ul><ul><ul><li>Provide support for research and development. </li></ul></ul><ul><li>Measures </li></ul><ul><ul><li>Provide a balanced set of metrics (i.e., KPIs) to guide business-oriented IT decisions. </li></ul></ul>
  18. 18. Monitoring and Assurance Practices for Board and Executive Management <ul><li>Standard IT Balanced Score Card </li></ul><ul><li>Use of an IT Balanced Score Card is one of the most effective means to aid the IT Strategy committee and management in achieving IT and business alignment </li></ul>
  19. 19. Monitoring and Assurance Practices for Board and Executive Management <ul><li>Information Security Governance </li></ul><ul><ul><li>Focused activity with specific value drivers: </li></ul></ul><ul><ul><ul><ul><li>Integrity of information </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Continuity of services </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Protection of information assets </li></ul></ul></ul></ul><ul><ul><li>Integral part of IT governance </li></ul></ul>
  20. 20. Monitoring and Assurance Practices for Board and Executive Management <ul><li>Importance of Information Security Governance </li></ul><ul><ul><li>Information security (infosec) covers all information processes, physical and electronic, regardless of whether they involve people and technology or relationships with trading partners, customers and third parties. Information security is concerned with all aspects of information and its protection at all points of its life cycle within the organization. </li></ul></ul>
  21. 21. Monitoring and Assurance Practices for Board and Executive Management <ul><li>Importance of Information Security Governance </li></ul><ul><ul><li>E ffective information security can add significant value to the organization by: </li></ul></ul><ul><ul><li>• Providing greater reliance on interactions with trading partners </li></ul></ul><ul><ul><li>• Improved trust in customer relationships </li></ul></ul><ul><ul><li>• Protecting the organization’s reputation </li></ul></ul><ul><ul><li>• Enabling new and better ways to process electronic transactions </li></ul></ul>
  22. 22. Monitoring and Assurance Practices for Board and Executive Management <ul><li>Outcomes of Security Governance </li></ul><ul><li>Strategic alignment with business strategy </li></ul><ul><li>Manage and execute appropriate measures to mitigate risks </li></ul><ul><li>Value delivery - o ptimize security investments </li></ul><ul><li>Resource management - u tilize information security knowledge and infrastructure efficiently and effectively </li></ul><ul><li>Performance measurement - m easure, monitor and report on information security processes to ensure objectives </li></ul>
  23. 23. Monitoring and Assurance Practices for Board and Executive Management <ul><li>Effective Information Security Governance </li></ul><ul><li>Information security governance is a subset of corporate governance that provides strategic direction for security activities and ensures objectives are achieved. It ensures that information security risks are appropriately managed and enterprise information resources are used responsibly. </li></ul>
  24. 24. Monitoring and Assurance Practices for Board and Executive Management <ul><li>Information Security Governance – roles and resposibilities </li></ul><ul><li>Boards of Directors/Senior Management </li></ul><ul><li>Executive Management </li></ul><ul><li>Steering Committee </li></ul><ul><li>CISO </li></ul>
  25. 25. Monitoring and Assurance Practices for Board and Executive Management <ul><li>Enterprise Architecture </li></ul><ul><li>Involves documenting an organization’s IT assets in a structured manner to facilitate understanding, management and planning for IT investments </li></ul>
  26. 26. Monitoring and Assurance Practices for Board and Executive Management <ul><li>Enterprise Architecture </li></ul><ul><li>Basic Zachman F rameworks </li></ul>Detailed Representation Technology Model Systems Model Enterprise Model Scope Strategy Process People Network Functional Data
  27. 27. Monitoring and Assurance Practices for Board and Executive Management <ul><li>Enterprise Architecture </li></ul><ul><li>The Federal Enterprise Arquitecture (FEA) has a hierarchy of five reference models </li></ul><ul><ul><li>Performance </li></ul></ul><ul><ul><li>Business </li></ul></ul><ul><ul><li>Service component </li></ul></ul><ul><ul><li>Technical </li></ul></ul><ul><ul><li>Data </li></ul></ul>
  28. 28. 2.3 Information Systems Strategy <ul><li>Strategic Planning </li></ul><ul><li>From an information systems standpoint it relates to the long-term direction an organization wants to take in leveraging information technology for improving its business processes. </li></ul><ul><li>Effective IT strategic planning involves a consideration of the organization’s demand for IT and its IT supply capacity. </li></ul>
  29. 29. Information Systems Strategy <ul><li>Steering Committee(s) </li></ul><ul><li>The organization’s senior management should appoint a planning or steering committee to oversee the information systems function and its activities. A high-level steering committee for information technology is an important factor in ensuring that the information systems department is in harmony with the corporate mission and objectives. </li></ul>
  30. 30. Information Systems Strategy <ul><li>Planning / Steering Committee </li></ul><ul><ul><li>Review Board for major IS projects </li></ul></ul><ul><ul><li>Steering Committee </li></ul></ul>
  31. 31. <ul><li>Which of the following would be included in an IS strategic plan? </li></ul><ul><li>A. Specifications for planned hardware purchases </li></ul><ul><li>B. Analysis of future business objectives </li></ul><ul><li>C. Target dates for development projects </li></ul><ul><li>D. Annual budgetary targets for the IS department </li></ul>Chapter 2 Question 9
  32. 32. <ul><li>Which of the following BEST describes an IT department’s strategic planning process? </li></ul><ul><li>A. The IT department will have either short-range or long-range plans depending on the organization’s broader plans and objectives. </li></ul><ul><li>B. The IT department’s strategic plan must be time- and project-oriented, but not so detailed as to address and help determine priorities to meet business needs. </li></ul><ul><li>C. Long-range planning for the IT department should recognize organizational goals, technological advances and regulatory requirements. </li></ul><ul><li>D. Short-range planning for the IT department does not need to be integrated into the short-range plans of the organization, since technological advances will drive the IT department plans much quicker than organizational plans. </li></ul>Chapter 2 Question 10
  33. 33. 2.4 Policies and Procedures <ul><li>Policies </li></ul><ul><ul><li>High level </li></ul></ul><ul><ul><li>Low level </li></ul></ul><ul><ul><ul><li>Information security policy </li></ul></ul></ul><ul><li>Procedures </li></ul>
  34. 34. Policies and Procedures <ul><li>Policies </li></ul><ul><li>Policies are high-level documents. They represent the corporate philosophy of an organization and the strategic thinking of senior management and the business process owners. To be effective, they must be clear and concise. </li></ul><ul><li>Policies are ‘rule of the road’ – They are part of the fundamental documentation for internal control systems. </li></ul>
  35. 35. Policies and Procedures <ul><li>Information Security Policy </li></ul><ul><li>Information security policy provides management the direction and support for information security in accordance with business requirements and relevant laws and regulations. Management should set a clear policy direction in line with business objectives and demonstrate support for and commitment to information security through the issuance and maintenance of an information security policy for the organization . </li></ul>
  36. 36. Policies and Procedures <ul><li>Information Security Policy Document </li></ul><ul><li>Definition of information security </li></ul><ul><li>Statement of management intent </li></ul><ul><li>Framework for setting control objectives </li></ul><ul><li>Brief explanation </li></ul><ul><li>Definition of responsibilities </li></ul><ul><li>References to documentation </li></ul>
  37. 37. Policies and Procedures <ul><li>Review of Information Security Policy </li></ul><ul><li>Input of management review </li></ul><ul><ul><li>Feedback from interested parties </li></ul></ul><ul><ul><li>Results of independent reviews </li></ul></ul><ul><ul><li>Status of preventive and corrective actions </li></ul></ul><ul><ul><li>Results of previous management reviews </li></ul></ul><ul><ul><li>Process performance and information security policy compliance </li></ul></ul><ul><ul><li>Changes that could affect the organization’s approach to managing information security, including changes to the organizational environment; business circumstances; resource availability; contractual, regulatory and legal conditions; or technical environment </li></ul></ul><ul><ul><li>Trends related to threats and vulnerabilities </li></ul></ul><ul><ul><li>Reported information security incidents </li></ul></ul><ul><ul><li>Recommendations provided by relevant authorities </li></ul></ul>
  38. 38. Policies and Procedures <ul><li>Review of Information Security Policy </li></ul><ul><li>Output from management review </li></ul><ul><ul><li>Improvement of the organization’s approach to managing information security and its processes </li></ul></ul><ul><ul><li>Improvement of control objectives and controls </li></ul></ul><ul><ul><li>Improvement in the allocation of resources and/or responsibilities </li></ul></ul>
  39. 39. Policies and Procedures <ul><li>Procedures </li></ul><ul><li>Procedures are detailed documents. They must be derived from the parent policy and must implement the spirit (intent) of the policy statement. Procedures must be written in a clear and concise manner, so they may be easily and properly understood by those governed by them. </li></ul>
  40. 40. 2.5 Risk Management <ul><li>The process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives </li></ul><ul><li>A summary of this concept is shown in the following equation: </li></ul><ul><li>Total risk = Threats x Vulnerability x Asset value </li></ul>
  41. 41. Risk Management <ul><li>Developing a Risk Management Program </li></ul><ul><ul><li>Establish the purpose of the risk management program </li></ul></ul><ul><ul><li>Assign responsibility for the risk management plan </li></ul></ul>
  42. 42. Risk Management <ul><li>Risk Management Process </li></ul><ul><ul><li>Identification and classification of information resources or assets that need protection </li></ul></ul><ul><ul><li>Assess threats and vulnerabilities and the likelihood of their occurrence Identification and classification of information resources or assets that need protection </li></ul></ul><ul><ul><li>Assess threats and vulnerabilities and the likelihood of their occurrence </li></ul></ul>
  43. 43. Risk Management <ul><li>IT risk management needs to operate at multiple levels including: </li></ul><ul><li>Operation : risks that could compromise the effectiveness of IT systems and supporting infrastructure </li></ul><ul><li>Project : risks management needs to focus on the ability to understand and manage project complexity </li></ul><ul><li>Strategic : the risk focus shifts to considerations such as how well the IT capability is aligned with the business strategy </li></ul>
  44. 44. <ul><li>Risk Analysis Methods : </li></ul><ul><li>Qualitative and Quantitative </li></ul><ul><ul><li>Are the simplest and most frequently used </li></ul></ul><ul><ul><li>Are based on checklist and subjective risk ratings </li></ul></ul><ul><li>Semiquantitative Analysis Methods </li></ul><ul><ul><li>the descriptive rankings are associated with a numerical scale. Such methods are frequently used when it is not possible to utilize a quantitative method or to reduce subjectivity in qualitative methods. </li></ul></ul><ul><li>Quantitative Analysis Methods </li></ul><ul><ul><li>it uses numerical values to describe the likelihood and impacts of risks, using data from several types of sources, such as historic records, past experiences, industry practices and records, statistical theories, testing, and experiments. </li></ul></ul><ul><li>Probability and expectancy </li></ul><ul><ul><li>Are based on classical statistical theories of probability and expectancy </li></ul></ul><ul><li>Annual loss expectancy method </li></ul><ul><ul><li>Simplifies the assigment of value and probability in a manner that is easier to quantify. </li></ul></ul>Risk Management
  45. 45. <ul><li>Management and IS auditors should keep in mind certain considerations: </li></ul><ul><li>Should be applied to IT functions company wide </li></ul><ul><li>Is a senior management responsibility </li></ul><ul><li>Quantitative RM is preferred over qualitative approaches </li></ul><ul><li>Quantitative RM always face the challenge of estimating risks </li></ul><ul><li>Quantitative RM provides more objective assumptions </li></ul><ul><li>The real complexity or the apparent sophistication of the methods or packaged used should not be a substitute commonsense or professional diligence </li></ul><ul><li>Special care should be given to very high impact events, even if there probability of occurrence over time is very low. </li></ul>Risk Management
  46. 46. <ul><li>Personnel Management </li></ul><ul><ul><li>Hiring practices </li></ul></ul><ul><ul><li>Employee handbook </li></ul></ul><ul><ul><li>Promotion policies </li></ul></ul><ul><ul><li>Training </li></ul></ul>2.6 IS Management Practices
  47. 47. <ul><li>Personnel Management </li></ul><ul><ul><li>Scheduling and time reporting </li></ul></ul><ul><ul><li>Employee performance evaluations </li></ul></ul><ul><ul><li>Required vacations </li></ul></ul><ul><ul><li>Termination policies </li></ul></ul>IS Management Practices
  48. 48. <ul><li>Outsourcing Practices (Service Level Agreements) </li></ul><ul><ul><li>Reasons for embarking on outsourcing </li></ul></ul><ul><ul><li>Services provided by a third party </li></ul></ul><ul><ul><li>Possible advantages </li></ul></ul><ul><ul><li>Possible disadvantages and business risks </li></ul></ul><ul><ul><li>Means of r e duction of business risks </li></ul></ul><ul><ul><li>Service Level Agreements </li></ul></ul><ul><ul><li>Audit/security concerns </li></ul></ul>IS Management Practices
  49. 49. <ul><li>Strategies in Audit of Outsourcing </li></ul><ul><ul><li>Third Party Audit Report </li></ul></ul><ul><ul><li>Periodic Reviews by the User’s Auditor </li></ul></ul>IS Management Practices
  50. 50. <ul><ul><li>Capacity and growth planning </li></ul></ul><ul><li>Given the strategic importance of IT in companies and the constant change in technology, capacity and growth planning are essential. This activity must be reflective of the long- and short-range business plans and must be considered within the budgeting process. </li></ul>IS Management Practices
  51. 51. <ul><ul><li>Third-party Service Delivery Management </li></ul></ul><ul><ul><li>Service delivery </li></ul></ul><ul><ul><li>Monitoring and review </li></ul></ul><ul><ul><li>Managing changes </li></ul></ul><ul><ul><li>Service improvement and user satisfaction </li></ul></ul><ul><ul><li>Industry Standards/Benchmarking </li></ul></ul>IS Management Practices
  52. 52. <ul><ul><li>Organizational Change management </li></ul></ul><ul><li>Change management is managing IT changes for the organization, where a defined and documented process exists to identify and apply technology improvements at the infrastructure and application(s) level that are beneficial to the organization and involving all levels of the organization impacted by the changes. </li></ul>IS Management Practices
  53. 53. <ul><ul><li>Financial Management Practices </li></ul></ul><ul><li>Financial management is a critical element of all business functions. In a cost-intensive computer environment, it is imperative that sound financial management practices be in place. </li></ul><ul><ul><li>user-pays scheme </li></ul></ul><ul><ul><li>c hargeback </li></ul></ul><ul><ul><li>IS Budgets </li></ul></ul>IS Management Practices
  54. 54. <ul><li>Quality Management </li></ul><ul><ul><li>Software development, maintenance and implementation </li></ul></ul><ul><ul><li>Acquisition of hardware and software </li></ul></ul><ul><ul><li>Day-to-day operations </li></ul></ul><ul><ul><li>Security </li></ul></ul><ul><ul><li>Human resource management </li></ul></ul><ul><ul><li>General administration </li></ul></ul>IS Management Practices
  55. 55. <ul><li>Standards to Assist the Organization </li></ul><ul><ul><li>ISO standard interpretation </li></ul></ul><ul><ul><li>Capability maturity model </li></ul></ul>IS Management Practices
  56. 56. <ul><li>Information Security Management </li></ul><ul><li>Performance Optimization </li></ul><ul><li>The broad phases of performance measurement : </li></ul><ul><ul><li>Establishing and updating performance measures </li></ul></ul><ul><ul><li>Establishing accountability for performance measures </li></ul></ul><ul><ul><li>Gathering and analyzing performance data </li></ul></ul><ul><ul><li>Reporting and using performance information </li></ul></ul>IS Management Practices
  57. 57. 2.7 IS Organizational Structure and r esponsibilities
  58. 58. <ul><li>IS Roles & Responsibilities </li></ul><ul><ul><ul><li>Systems Development Manager </li></ul></ul></ul><ul><ul><ul><li>Help Desk </li></ul></ul></ul><ul><ul><ul><li>End user </li></ul></ul></ul><ul><ul><ul><li>End user support manager </li></ul></ul></ul><ul><ul><ul><li>Data management </li></ul></ul></ul><ul><ul><ul><li>Quality assurance manager </li></ul></ul></ul><ul><ul><ul><li>Vendor and outsourcer management </li></ul></ul></ul>IS Organizational Structure and Responsibilities
  59. 59. <ul><li>IS Roles & Responsibilities </li></ul><ul><ul><li>Control group </li></ul></ul><ul><ul><li>Media management </li></ul></ul><ul><ul><li>Data entry </li></ul></ul><ul><ul><li>Systems administration </li></ul></ul><ul><ul><li>Security administration </li></ul></ul><ul><ul><li>Quality assurance </li></ul></ul><ul><ul><li>Database administration </li></ul></ul>IS Organizational Structure and Responsibilities
  60. 60. <ul><li>IS Roles & Responsibilities </li></ul><ul><ul><li>Systems analysis </li></ul></ul><ul><ul><li>Security Architect </li></ul></ul><ul><ul><li>Application programming </li></ul></ul><ul><ul><li>Systems programming </li></ul></ul><ul><ul><li>Network management </li></ul></ul>IS Organizational Structure and Responsibilities
  61. 61. <ul><li>Segregation of Duties Within IS </li></ul><ul><ul><li>Avoids possibility of errors or misappropriations </li></ul></ul><ul><ul><li>Discourages fraudulent acts </li></ul></ul><ul><ul><li>Limits access to data </li></ul></ul>IS Organizational Structure and Responsibilities
  62. 62. IS Organizational Structure and Responsibilities
  63. 63. <ul><li>Which of the following tasks may be performed by the same person in a well-controlled information processing computer center? </li></ul><ul><li>A. Security administration and change management </li></ul><ul><li>B. Computer operations and system development </li></ul><ul><li>C. System development and change management </li></ul><ul><li>D. System development and systems maintenance </li></ul>Chapter 2 Question 2
  64. 64. <ul><li>Which of the following is the MOST critical control over database administration? </li></ul><ul><li>A. Approval of DBA activities </li></ul><ul><li>B. Segregation of duties </li></ul><ul><li>C. Review of access logs and activities </li></ul><ul><li>D. Review of the use of database tools </li></ul>Chapter 2 Question 3
  65. 65. <ul><li>The MOST important responsibility of a data security officer in an organization is: </li></ul><ul><li>A. recommending and monitoring data security policies. </li></ul><ul><li>B. promoting security awareness within the organization. </li></ul><ul><li>C. establishing procedures for IT security policies. </li></ul><ul><li>D. administering physical and logical access controls. </li></ul>Chapter 2 Question 4
  66. 66. <ul><li>When a complete segregation of duties cannot be achieved in an online system environment, which of the following functions should be separated from the others? </li></ul><ul><li>A. Origination </li></ul><ul><li>B. Authorization </li></ul><ul><li>C. Recording </li></ul><ul><li>D. Correction </li></ul>Chapter 2 Question 5
  67. 67. <ul><li>In a small organization, where segregation of duties is not practical, an employee performs the function of computer operator and application programmer. Which of the following controls should the IS auditor recommend? </li></ul><ul><li>A. Automated logging of changes to development libraries </li></ul><ul><li>B. Additional staff to provide segregation of duties </li></ul><ul><li>C. Procedures that verify that only approved program changes are implemented </li></ul><ul><li>D. Access controls to prevent the operator from making program modifications </li></ul>Chapter 2 Question 6
  68. 68. <ul><li>Which of the following is MOST likely to be performed by the security administrator? </li></ul><ul><li>A. Approving the security policy </li></ul><ul><li>B. Testing application software </li></ul><ul><li>C. Ensuring data integrity </li></ul><ul><li>D. Maintaining access rules </li></ul>Chapter 2 Question 7
  69. 69. <ul><li>Segregation of Duties Controls </li></ul><ul><ul><li>Transaction authorization </li></ul></ul><ul><ul><li>Custody of assets </li></ul></ul><ul><ul><li>Access to data </li></ul></ul><ul><ul><ul><li>Authorization forms </li></ul></ul></ul><ul><ul><ul><li>User authorization tables </li></ul></ul></ul>IS Organizational Structure and Responsibilities
  70. 70. <ul><li>Compensating controls for Lack of Segregation of Duties </li></ul><ul><ul><li>Audit trails </li></ul></ul><ul><ul><li>Reconciliation </li></ul></ul><ul><ul><li>Exception reporting </li></ul></ul><ul><ul><li>Transaction logs </li></ul></ul><ul><ul><li>Supervisory reviews </li></ul></ul><ul><ul><li>Independent reviews </li></ul></ul>IS Organizational Structure and Responsibilities
  71. 71. <ul><li>Indicators of potential problems include: </li></ul><ul><li>Unfavorable end-user attitudes </li></ul><ul><li>Excessive costs </li></ul><ul><li>Budget overruns </li></ul><ul><li>Late projects </li></ul><ul><li>High staff turnover </li></ul><ul><li>Inexperienced staff </li></ul><ul><li>Frequent hardware/software errors </li></ul><ul><li>An excessive backlog of user requests </li></ul><ul><li>Slow computer response time </li></ul>2.8 Auditing IT Governance Structure and Implementation
  72. 72. <ul><li>Indicators of potential problems include (cont.): </li></ul><ul><li>Numerous aborted or suspended development projects </li></ul><ul><li>Unsupported or unauthorized hardware/software purchases </li></ul><ul><li>Frequent hardware/software upgrades </li></ul><ul><li>Extensive exception reports </li></ul><ul><li>Exception reports that were not followed up on </li></ul><ul><li>Poor motivation </li></ul><ul><li>Lack of succession plans </li></ul><ul><li>A reliance on one or two key personnel </li></ul><ul><li>Lack of adequate training </li></ul>Auditing IT Governance Structure and Implementation
  73. 73. <ul><li>Reviewing Documentation </li></ul><ul><li>Reviewing Contractual Commitments </li></ul>Auditing IT Governance Structure and Implementation
  74. 74. <ul><li>Reviewing Documentation </li></ul><ul><ul><li>IT strategies, plans and budgets </li></ul></ul><ul><ul><li>Security policy documentation </li></ul></ul><ul><ul><li>Organization / functional charts </li></ul></ul><ul><ul><li>Job descriptions </li></ul></ul><ul><ul><li>Steering committee reports </li></ul></ul><ul><ul><li>Systems development and program change procedures </li></ul></ul><ul><ul><li>Operations procedures </li></ul></ul><ul><ul><li>Human resource manuals </li></ul></ul><ul><ul><li>Quality assurance procedures </li></ul></ul>Auditing IT Governance Structure and Implementation
  75. 75. <ul><li>Reviewing Contractual Commitments </li></ul><ul><ul><li>Development of contract requirements </li></ul></ul><ul><ul><li>Contract bidding process </li></ul></ul><ul><ul><li>Contract selection process </li></ul></ul><ul><ul><li>Contract acceptance </li></ul></ul><ul><ul><li>Contract maintenance </li></ul></ul><ul><ul><li>Contract compliance </li></ul></ul>Auditing IT Governance Structure and Implementation
  76. 76. <ul><li>IS Auditor review draft of outsourcing contract and SLA and recommend changes prior ti thees being sent to senior management approval </li></ul><ul><ul><li>Agreement includes outsourcing support of windows and unix server administration and network management to third party </li></ul></ul><ul><ul><li>Server will be relocated to outsourcer facility in another country, Internet connect </li></ul></ul><ul><ul><li>Operating software will be upgraded on a semiannual basis, but not escrowed </li></ul></ul><ul><ul><li>Requests for change user account will be processed within three business days </li></ul></ul><ul><ul><li>Intrusion detection software will be continously monitored by outsourcer, customer notified anomalies by e_mail </li></ul></ul><ul><ul><li>New employees hired within last three years, prior no policy present </li></ul></ul><ul><ul><li>Right to audit clause is in place, 24-hour notice is required to onsite visit </li></ul></ul><ul><ul><li>If Outsorcer found to be in violation of contract, it will have 10 business days to correct deficiency </li></ul></ul><ul><ul><li>Outsorcer does not have IS auditor, but audited by regional public accounting firm </li></ul></ul>2.9 Case Study
  77. 77. <ul><li>Which of the following should be of MOST concern to the IS auditor? </li></ul><ul><li>A. User account changes are processed within three business days. </li></ul><ul><li>B. Twenty-four hour notice is required prior to an onsite visit. </li></ul><ul><li>C. The outsourcer does not have an IS audit function. </li></ul><ul><li>D. Software escrow is not included in the contract. </li></ul>Chapter 2 : Case study Question 1
  78. 78. <ul><li>Which of the following would be the MOST significant issue to address if the servers contain personally identifiable customer information that is regularly accessed and updated by end users? </li></ul><ul><li>A. The country in which the outsourcer is based prohibits the use of strong encryption for transmitted data. </li></ul><ul><li>B. The outsourcer limits its liability if it took reasonable steps to protect the customer data. </li></ul><ul><li>C. The outsourcer did not perform background checks for employees hired over three years ago. </li></ul><ul><li>D. System software is only upgraded once every six months. </li></ul>Chapter 2 : Case study Question 2
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×