Chap2 2007 Cisa Review Course
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


Chap2 2007 Cisa Review Course

Uploaded on


  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 1 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. 2007 CISA  Review Course Chapter 2 IT Governance
  • 2. Chapter Overview
    • Corporate Governance
    • IT Governance
    • Information Systems Strategy
    • Policies and Procedures
    • Risk Management
    • Information Systems Management Practices
    • IS Organizational Structure and Responsibilities
    • Auditing the Management, Planning and Organization of IS
  • 3. Chapter Objective
    • Ensure that the CISA candidate…
    • “ understands and can provide assurance
    • that the organization has the structure,
    • policies, accountability mechanisms
    • and monitoring practices in place to
    • achieve the requirements of
    • corporate governance of IT.”
  • 4. Chapter Summary
    • According to the CISA Certification Board, this Content Area will represent approximately 15% of the CISA examination. (approximately 30 questions)
  • 5. 2.1 Corporate Governance
      • Ethical corporate behavior by directors or others charged with governance in the creation and presentation for all stakeholders
      • Establishment of rules in managing and reporting business risks
      • IT governance
  • 6. Corporate Governance
    • Corporate governance is a set of responsibilities and practices used by an organization’s management to provide strategic direction, thereby ensuring that goals are achievable, risks are properly addressed and organizational resources are properly utilized.
  • 7. Corporate Governance
    • ITGI Best Practices for Corporate Governance
    • IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategy and objectives
  • 8. 2.2 Monitoring and Assurance Practices for Board a nd Executive Management
    • IT Governance encompasses:
        • Information systems
        • Technology
        • Communication
    • IT Governance helps ensure the alignment of IT and enterprise objectives.
    • Fundamentally IT governance is concerned with two issues
        • IT delivers value to the business
          • driven by strategic alignment of IT with the business
        • IT risks are mitigated
          • driven by embedding accountability into the enterprise
    • IT Governance is the responsibility of the board of directors and executive management
  • 9.
    • IT governance ensures that an organization aligns its IT strategy with:
    • A. enterprise objectives.
    • B. IT objectives.
    • C. audit objectives.
    • D. control objectives.
    Chapter 2 Question
  • 10.
    • An IS auditor should ensure that IT governance performance measures,:
    • A. evaluate the activities of IT oversight committees.
    • B. provide strategic IT drivers.
    • C. adhere to regulatory reporting standards and definitions.
    • D. evaluate the IT department.
    Chapter 2 – Question 8
  • 11. Monitoring and Assurance Practices for Board and E xecutive Management
    • IT governance is a structure of relationships:
    IT Value Delivery Stakeholders Value Drivers Performance Measurement Risk Management Strategic Alignment
  • 12. Monitoring and Assurance Practices for Board a nd Executive Management
    • Audit Role in IT Governance:
    • Audit plays a significant role in a successful implementation of IT governance. Audit is best positioned to provide leading practice recommendations to help improve the quality and effectiveness of the IT governance initiatives implemented.
    • Audit helps ensure compliance with IT governance initiatives implemented within an organization. IT governance initiatives requires an independent and balanced view to ensure a qualitative assessment that subsequently facilitates the qualitative improvement of IT processes and associated IT governance initiatives.
  • 13. Monitoring and Assurance Practices for Board and Executive Management
    • IT Strategy committee
    • Is a mechanism for incorporating IT governance into enterprise governance
    • As a committee of the board, it assists the board on overseeing the enterprise’s IT related matters by ensuring that the board has the internal and external information IT requires for effective IT governance decision making
    • Organizations have had steering committees at an executive level to deal with IT issues that are relevant organizationwide. There should be a clear understanding of both the IT strategy and steering levels. The ITGI issued a document where a clear analysis is made between them.
  • 14. Monitoring and Assurance Practices for Board and Executive Management
    • Risk Management
    • Dependent on the type of risk and its significance to the business, management and the board may choose between:
      • Mitigate
      • Transfer
      • Accept
  • 15. Monitoring and Assurance Practices for Board and Executive Management
    • Standard IT Balanced Score Card:
    • Is a process management evaluative technique that can be applied to the IT business governance process in assesing IT functions and processes
  • 16. Monitoring and Assurance Practices for Board and Executive Management
    • Standard IT Balanced Score Card
    • To apply to IT, a three-layered structure is used in addressing the perspectives
    • Mission
    • – Become the preferred supplier of information systems.
    • – Deliver effective and efficient IT applications and services.
    • – Obtain a reasonable business contribution of IT investments.
    • – Develop opportunities to answer future challenges.
  • 17. Monitoring and Assurance Practices for Board and Executive Management
    • Standard IT Balanced Score Card
    • three-layered structure ( cont.)
    • Strategies
      • Develop superior applications and operations.
      • Develop user partnerships and greater customer services.
      • Provide enhanced service levels and pricing structures.
      • Control IT expenses.
      • Provide business value to IT projects.
      • Provide new business capabilities.
      • Train and educate IT staff and promote excellence.
      • Provide support for research and development.
    • Measures
      • Provide a balanced set of metrics (i.e., KPIs) to guide business-oriented IT decisions.
  • 18. Monitoring and Assurance Practices for Board and Executive Management
    • Standard IT Balanced Score Card
    • Use of an IT Balanced Score Card is one of the most effective means to aid the IT Strategy committee and management in achieving IT and business alignment
  • 19. Monitoring and Assurance Practices for Board and Executive Management
    • Information Security Governance
      • Focused activity with specific value drivers:
          • Integrity of information
          • Continuity of services
          • Protection of information assets
      • Integral part of IT governance
  • 20. Monitoring and Assurance Practices for Board and Executive Management
    • Importance of Information Security Governance
      • Information security (infosec) covers all information processes, physical and electronic, regardless of whether they involve people and technology or relationships with trading partners, customers and third parties. Information security is concerned with all aspects of information and its protection at all points of its life cycle within the organization.
  • 21. Monitoring and Assurance Practices for Board and Executive Management
    • Importance of Information Security Governance
      • E ffective information security can add significant value to the organization by:
      • • Providing greater reliance on interactions with trading partners
      • • Improved trust in customer relationships
      • • Protecting the organization’s reputation
      • • Enabling new and better ways to process electronic transactions
  • 22. Monitoring and Assurance Practices for Board and Executive Management
    • Outcomes of Security Governance
    • Strategic alignment with business strategy
    • Manage and execute appropriate measures to mitigate risks
    • Value delivery - o ptimize security investments
    • Resource management - u tilize information security knowledge and infrastructure efficiently and effectively
    • Performance measurement - m easure, monitor and report on information security processes to ensure objectives
  • 23. Monitoring and Assurance Practices for Board and Executive Management
    • Effective Information Security Governance
    • Information security governance is a subset of corporate governance that provides strategic direction for security activities and ensures objectives are achieved. It ensures that information security risks are appropriately managed and enterprise information resources are used responsibly.
  • 24. Monitoring and Assurance Practices for Board and Executive Management
    • Information Security Governance – roles and resposibilities
    • Boards of Directors/Senior Management
    • Executive Management
    • Steering Committee
    • CISO
  • 25. Monitoring and Assurance Practices for Board and Executive Management
    • Enterprise Architecture
    • Involves documenting an organization’s IT assets in a structured manner to facilitate understanding, management and planning for IT investments
  • 26. Monitoring and Assurance Practices for Board and Executive Management
    • Enterprise Architecture
    • Basic Zachman F rameworks
    Detailed Representation Technology Model Systems Model Enterprise Model Scope Strategy Process People Network Functional Data
  • 27. Monitoring and Assurance Practices for Board and Executive Management
    • Enterprise Architecture
    • The Federal Enterprise Arquitecture (FEA) has a hierarchy of five reference models
      • Performance
      • Business
      • Service component
      • Technical
      • Data
  • 28. 2.3 Information Systems Strategy
    • Strategic Planning
    • From an information systems standpoint it relates to the long-term direction an organization wants to take in leveraging information technology for improving its business processes.
    • Effective IT strategic planning involves a consideration of the organization’s demand for IT and its IT supply capacity.
  • 29. Information Systems Strategy
    • Steering Committee(s)
    • The organization’s senior management should appoint a planning or steering committee to oversee the information systems function and its activities. A high-level steering committee for information technology is an important factor in ensuring that the information systems department is in harmony with the corporate mission and objectives.
  • 30. Information Systems Strategy
    • Planning / Steering Committee
      • Review Board for major IS projects
      • Steering Committee
  • 31.
    • Which of the following would be included in an IS strategic plan?
    • A. Specifications for planned hardware purchases
    • B. Analysis of future business objectives
    • C. Target dates for development projects
    • D. Annual budgetary targets for the IS department
    Chapter 2 Question 9
  • 32.
    • Which of the following BEST describes an IT department’s strategic planning process?
    • A. The IT department will have either short-range or long-range plans depending on the organization’s broader plans and objectives.
    • B. The IT department’s strategic plan must be time- and project-oriented, but not so detailed as to address and help determine priorities to meet business needs.
    • C. Long-range planning for the IT department should recognize organizational goals, technological advances and regulatory requirements.
    • D. Short-range planning for the IT department does not need to be integrated into the short-range plans of the organization, since technological advances will drive the IT department plans much quicker than organizational plans.
    Chapter 2 Question 10
  • 33. 2.4 Policies and Procedures
    • Policies
      • High level
      • Low level
        • Information security policy
    • Procedures
  • 34. Policies and Procedures
    • Policies
    • Policies are high-level documents. They represent the corporate philosophy of an organization and the strategic thinking of senior management and the business process owners. To be effective, they must be clear and concise.
    • Policies are ‘rule of the road’ – They are part of the fundamental documentation for internal control systems.
  • 35. Policies and Procedures
    • Information Security Policy
    • Information security policy provides management the direction and support for information security in accordance with business requirements and relevant laws and regulations. Management should set a clear policy direction in line with business objectives and demonstrate support for and commitment to information security through the issuance and maintenance of an information security policy for the organization .
  • 36. Policies and Procedures
    • Information Security Policy Document
    • Definition of information security
    • Statement of management intent
    • Framework for setting control objectives
    • Brief explanation
    • Definition of responsibilities
    • References to documentation
  • 37. Policies and Procedures
    • Review of Information Security Policy
    • Input of management review
      • Feedback from interested parties
      • Results of independent reviews
      • Status of preventive and corrective actions
      • Results of previous management reviews
      • Process performance and information security policy compliance
      • Changes that could affect the organization’s approach to managing information security, including changes to the organizational environment; business circumstances; resource availability; contractual, regulatory and legal conditions; or technical environment
      • Trends related to threats and vulnerabilities
      • Reported information security incidents
      • Recommendations provided by relevant authorities
  • 38. Policies and Procedures
    • Review of Information Security Policy
    • Output from management review
      • Improvement of the organization’s approach to managing information security and its processes
      • Improvement of control objectives and controls
      • Improvement in the allocation of resources and/or responsibilities
  • 39. Policies and Procedures
    • Procedures
    • Procedures are detailed documents. They must be derived from the parent policy and must implement the spirit (intent) of the policy statement. Procedures must be written in a clear and concise manner, so they may be easily and properly understood by those governed by them.
  • 40. 2.5 Risk Management
    • The process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives
    • A summary of this concept is shown in the following equation:
    • Total risk = Threats x Vulnerability x Asset value
  • 41. Risk Management
    • Developing a Risk Management Program
      • Establish the purpose of the risk management program
      • Assign responsibility for the risk management plan
  • 42. Risk Management
    • Risk Management Process
      • Identification and classification of information resources or assets that need protection
      • Assess threats and vulnerabilities and the likelihood of their occurrence Identification and classification of information resources or assets that need protection
      • Assess threats and vulnerabilities and the likelihood of their occurrence
  • 43. Risk Management
    • IT risk management needs to operate at multiple levels including:
    • Operation : risks that could compromise the effectiveness of IT systems and supporting infrastructure
    • Project : risks management needs to focus on the ability to understand and manage project complexity
    • Strategic : the risk focus shifts to considerations such as how well the IT capability is aligned with the business strategy
  • 44.
    • Risk Analysis Methods :
    • Qualitative and Quantitative
      • Are the simplest and most frequently used
      • Are based on checklist and subjective risk ratings
    • Semiquantitative Analysis Methods
      • the descriptive rankings are associated with a numerical scale. Such methods are frequently used when it is not possible to utilize a quantitative method or to reduce subjectivity in qualitative methods.
    • Quantitative Analysis Methods
      • it uses numerical values to describe the likelihood and impacts of risks, using data from several types of sources, such as historic records, past experiences, industry practices and records, statistical theories, testing, and experiments.
    • Probability and expectancy
      • Are based on classical statistical theories of probability and expectancy
    • Annual loss expectancy method
      • Simplifies the assigment of value and probability in a manner that is easier to quantify.
    Risk Management
  • 45.
    • Management and IS auditors should keep in mind certain considerations:
    • Should be applied to IT functions company wide
    • Is a senior management responsibility
    • Quantitative RM is preferred over qualitative approaches
    • Quantitative RM always face the challenge of estimating risks
    • Quantitative RM provides more objective assumptions
    • The real complexity or the apparent sophistication of the methods or packaged used should not be a substitute commonsense or professional diligence
    • Special care should be given to very high impact events, even if there probability of occurrence over time is very low.
    Risk Management
  • 46.
    • Personnel Management
      • Hiring practices
      • Employee handbook
      • Promotion policies
      • Training
    2.6 IS Management Practices
  • 47.
    • Personnel Management
      • Scheduling and time reporting
      • Employee performance evaluations
      • Required vacations
      • Termination policies
    IS Management Practices
  • 48.
    • Outsourcing Practices (Service Level Agreements)
      • Reasons for embarking on outsourcing
      • Services provided by a third party
      • Possible advantages
      • Possible disadvantages and business risks
      • Means of r e duction of business risks
      • Service Level Agreements
      • Audit/security concerns
    IS Management Practices
  • 49.
    • Strategies in Audit of Outsourcing
      • Third Party Audit Report
      • Periodic Reviews by the User’s Auditor
    IS Management Practices
  • 50.
      • Capacity and growth planning
    • Given the strategic importance of IT in companies and the constant change in technology, capacity and growth planning are essential. This activity must be reflective of the long- and short-range business plans and must be considered within the budgeting process.
    IS Management Practices
  • 51.
      • Third-party Service Delivery Management
      • Service delivery
      • Monitoring and review
      • Managing changes
      • Service improvement and user satisfaction
      • Industry Standards/Benchmarking
    IS Management Practices
  • 52.
      • Organizational Change management
    • Change management is managing IT changes for the organization, where a defined and documented process exists to identify and apply technology improvements at the infrastructure and application(s) level that are beneficial to the organization and involving all levels of the organization impacted by the changes.
    IS Management Practices
  • 53.
      • Financial Management Practices
    • Financial management is a critical element of all business functions. In a cost-intensive computer environment, it is imperative that sound financial management practices be in place.
      • user-pays scheme
      • c hargeback
      • IS Budgets
    IS Management Practices
  • 54.
    • Quality Management
      • Software development, maintenance and implementation
      • Acquisition of hardware and software
      • Day-to-day operations
      • Security
      • Human resource management
      • General administration
    IS Management Practices
  • 55.
    • Standards to Assist the Organization
      • ISO standard interpretation
      • Capability maturity model
    IS Management Practices
  • 56.
    • Information Security Management
    • Performance Optimization
    • The broad phases of performance measurement :
      • Establishing and updating performance measures
      • Establishing accountability for performance measures
      • Gathering and analyzing performance data
      • Reporting and using performance information
    IS Management Practices
  • 57. 2.7 IS Organizational Structure and r esponsibilities
  • 58.
    • IS Roles & Responsibilities
        • Systems Development Manager
        • Help Desk
        • End user
        • End user support manager
        • Data management
        • Quality assurance manager
        • Vendor and outsourcer management
    IS Organizational Structure and Responsibilities
  • 59.
    • IS Roles & Responsibilities
      • Control group
      • Media management
      • Data entry
      • Systems administration
      • Security administration
      • Quality assurance
      • Database administration
    IS Organizational Structure and Responsibilities
  • 60.
    • IS Roles & Responsibilities
      • Systems analysis
      • Security Architect
      • Application programming
      • Systems programming
      • Network management
    IS Organizational Structure and Responsibilities
  • 61.
    • Segregation of Duties Within IS
      • Avoids possibility of errors or misappropriations
      • Discourages fraudulent acts
      • Limits access to data
    IS Organizational Structure and Responsibilities
  • 62. IS Organizational Structure and Responsibilities
  • 63.
    • Which of the following tasks may be performed by the same person in a well-controlled information processing computer center?
    • A. Security administration and change management
    • B. Computer operations and system development
    • C. System development and change management
    • D. System development and systems maintenance
    Chapter 2 Question 2
  • 64.
    • Which of the following is the MOST critical control over database administration?
    • A. Approval of DBA activities
    • B. Segregation of duties
    • C. Review of access logs and activities
    • D. Review of the use of database tools
    Chapter 2 Question 3
  • 65.
    • The MOST important responsibility of a data security officer in an organization is:
    • A. recommending and monitoring data security policies.
    • B. promoting security awareness within the organization.
    • C. establishing procedures for IT security policies.
    • D. administering physical and logical access controls.
    Chapter 2 Question 4
  • 66.
    • When a complete segregation of duties cannot be achieved in an online system environment, which of the following functions should be separated from the others?
    • A. Origination
    • B. Authorization
    • C. Recording
    • D. Correction
    Chapter 2 Question 5
  • 67.
    • In a small organization, where segregation of duties is not practical, an employee performs the function of computer operator and application programmer. Which of the following controls should the IS auditor recommend?
    • A. Automated logging of changes to development libraries
    • B. Additional staff to provide segregation of duties
    • C. Procedures that verify that only approved program changes are implemented
    • D. Access controls to prevent the operator from making program modifications
    Chapter 2 Question 6
  • 68.
    • Which of the following is MOST likely to be performed by the security administrator?
    • A. Approving the security policy
    • B. Testing application software
    • C. Ensuring data integrity
    • D. Maintaining access rules
    Chapter 2 Question 7
  • 69.
    • Segregation of Duties Controls
      • Transaction authorization
      • Custody of assets
      • Access to data
        • Authorization forms
        • User authorization tables
    IS Organizational Structure and Responsibilities
  • 70.
    • Compensating controls for Lack of Segregation of Duties
      • Audit trails
      • Reconciliation
      • Exception reporting
      • Transaction logs
      • Supervisory reviews
      • Independent reviews
    IS Organizational Structure and Responsibilities
  • 71.
    • Indicators of potential problems include:
    • Unfavorable end-user attitudes
    • Excessive costs
    • Budget overruns
    • Late projects
    • High staff turnover
    • Inexperienced staff
    • Frequent hardware/software errors
    • An excessive backlog of user requests
    • Slow computer response time
    2.8 Auditing IT Governance Structure and Implementation
  • 72.
    • Indicators of potential problems include (cont.):
    • Numerous aborted or suspended development projects
    • Unsupported or unauthorized hardware/software purchases
    • Frequent hardware/software upgrades
    • Extensive exception reports
    • Exception reports that were not followed up on
    • Poor motivation
    • Lack of succession plans
    • A reliance on one or two key personnel
    • Lack of adequate training
    Auditing IT Governance Structure and Implementation
  • 73.
    • Reviewing Documentation
    • Reviewing Contractual Commitments
    Auditing IT Governance Structure and Implementation
  • 74.
    • Reviewing Documentation
      • IT strategies, plans and budgets
      • Security policy documentation
      • Organization / functional charts
      • Job descriptions
      • Steering committee reports
      • Systems development and program change procedures
      • Operations procedures
      • Human resource manuals
      • Quality assurance procedures
    Auditing IT Governance Structure and Implementation
  • 75.
    • Reviewing Contractual Commitments
      • Development of contract requirements
      • Contract bidding process
      • Contract selection process
      • Contract acceptance
      • Contract maintenance
      • Contract compliance
    Auditing IT Governance Structure and Implementation
  • 76.
    • IS Auditor review draft of outsourcing contract and SLA and recommend changes prior ti thees being sent to senior management approval
      • Agreement includes outsourcing support of windows and unix server administration and network management to third party
      • Server will be relocated to outsourcer facility in another country, Internet connect
      • Operating software will be upgraded on a semiannual basis, but not escrowed
      • Requests for change user account will be processed within three business days
      • Intrusion detection software will be continously monitored by outsourcer, customer notified anomalies by e_mail
      • New employees hired within last three years, prior no policy present
      • Right to audit clause is in place, 24-hour notice is required to onsite visit
      • If Outsorcer found to be in violation of contract, it will have 10 business days to correct deficiency
      • Outsorcer does not have IS auditor, but audited by regional public accounting firm
    2.9 Case Study
  • 77.
    • Which of the following should be of MOST concern to the IS auditor?
    • A. User account changes are processed within three business days.
    • B. Twenty-four hour notice is required prior to an onsite visit.
    • C. The outsourcer does not have an IS audit function.
    • D. Software escrow is not included in the contract.
    Chapter 2 : Case study Question 1
  • 78.
    • Which of the following would be the MOST significant issue to address if the servers contain personally identifiable customer information that is regularly accessed and updated by end users?
    • A. The country in which the outsourcer is based prohibits the use of strong encryption for transmitted data.
    • B. The outsourcer limits its liability if it took reasonable steps to protect the customer data.
    • C. The outsourcer did not perform background checks for employees hired over three years ago.
    • D. System software is only upgraded once every six months.
    Chapter 2 : Case study Question 2