This document provides an overview of topics covered in a CISA review course, including IT governance, corporate governance, governance of enterprise IT, risk management, information security management practices, auditing IT governance structure and implementation, and business continuity planning. The document defines key concepts, best practices, standards, and approaches for each topic. It also outlines the roles and responsibilities of various committees, policies, procedures, and other elements involved in effectively governing enterprise IT.
CISA Domain 4 Information Systems Operation | InfosectrainInfosecTrain
Study Flashcards On CISA Domain 4 Information Systems Operations, Maintenance and Support at Cram.com. Quickly memorize the terms, phrases and much more. Infosectrain.com makes it easy to get the grade you want!
Basics in IT Audit and Application Control Testing Dinesh O Bareja
IT Audit and Application Control Testing are large and complex activities in themselves, and it is my presentation to share the basics here, based on my own experience and using guidance from IIA GTAGs.
CISA Domain 4 Information Systems Operation | InfosectrainInfosecTrain
Study Flashcards On CISA Domain 4 Information Systems Operations, Maintenance and Support at Cram.com. Quickly memorize the terms, phrases and much more. Infosectrain.com makes it easy to get the grade you want!
Basics in IT Audit and Application Control Testing Dinesh O Bareja
IT Audit and Application Control Testing are large and complex activities in themselves, and it is my presentation to share the basics here, based on my own experience and using guidance from IIA GTAGs.
PART 1 – CISA Domain 3 – Information Systems Acquisition, development and implementation
Overall understanding of Domain 3
What is benefits realization?
What is portfolio management?
https://www.infosectrain.com/blog/cisa-domain-3-information-systems-acquisition-development-and-implementation-part1/
Understanding IT Governance and Risk Managementjiricejka
Describes IT Governance Holistic Framework for establishing transparent relation between Business and IT environment.
Describes Governance services and Risk Management Methods
Defining an IT Auditor,
IT Auditor Certifications & ISACA,
IT Audit Phases,
Preparing to be Audited,
How IT auditor audits an Applications,
Auditing technology for Information System.
Knowledge of the purpose of IT strategy, policies, standards & pro cedures for an organization and the essential elements of each
https://www.infosectrain.com/blog/part-2-cisa-domain-2-governance-and-management-of-it/
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
ISACA IS Audit and Assurance Standards, Guidelines, and Tools & Techniques, Code of Professional Ethics & other applicable standard.
https://www.infosectrain.com/blog/cisa-domain-1-part-3-the-process-on-auditing-information-systems/
Due to the dramatic increase of threats worldwide, there is a need for the companies to find ways how to increase the information security. Therefore, one solution is to implement the ISO/IEC 27001 in order to protect information both internally and externally.
Main points that will be covered are:
• The scope of ISO 27001 & associated other standards references
• Information Security and ISIM Terminologies
• ISIM auditing principles
• Managing audit program & audit activities
Presenter:
Eng. Kefah El-Ghobbas is a specialist in ‘Business Process Excellence' through ‘Business Process Re-engineering' with over 20 years of experience.
Link of the recorded session published on YouTube: https://youtu.be/rTxA8PVULUs
Understanding this course help you have an idea on how the audit assessment is performed and where the focus lies. General controls take a large percentage of the entire Audit function and should be paid adequate attention during the session.
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB
The webinar covers:
• An overview of Cybersecurity
• Explaining of Cybersecurity Relationship with other types of security
• Guidance for addressing common Cybersecurity issues.
• Convincing stakeholders to collaborate on resolving Cybersecurity issues.
Presenter:
This webinar was presented by PECB Partner and Trainer Mr. Fabrice DePaepe, who is Managing Director at Nitroxis Sprl and has more than 15 years of experience in IT and Information Security.
Link of the recorded session published on YouTube: https://youtu.be/fQUSQEoLsYc
What is GRC – Governance, Risk and Compliance BOC Group
A simple guide to learn what Governance, Risk and Compliance (GRC) is all about, why it’s important and how you can use it to help drive enterprise objectives.
For more information visit: https://www.boc-group.com/governance-risk-and-compliance/
PART 1 – CISA Domain 3 – Information Systems Acquisition, development and implementation
Overall understanding of Domain 3
What is benefits realization?
What is portfolio management?
https://www.infosectrain.com/blog/cisa-domain-3-information-systems-acquisition-development-and-implementation-part1/
Understanding IT Governance and Risk Managementjiricejka
Describes IT Governance Holistic Framework for establishing transparent relation between Business and IT environment.
Describes Governance services and Risk Management Methods
Defining an IT Auditor,
IT Auditor Certifications & ISACA,
IT Audit Phases,
Preparing to be Audited,
How IT auditor audits an Applications,
Auditing technology for Information System.
Knowledge of the purpose of IT strategy, policies, standards & pro cedures for an organization and the essential elements of each
https://www.infosectrain.com/blog/part-2-cisa-domain-2-governance-and-management-of-it/
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
ISACA IS Audit and Assurance Standards, Guidelines, and Tools & Techniques, Code of Professional Ethics & other applicable standard.
https://www.infosectrain.com/blog/cisa-domain-1-part-3-the-process-on-auditing-information-systems/
Due to the dramatic increase of threats worldwide, there is a need for the companies to find ways how to increase the information security. Therefore, one solution is to implement the ISO/IEC 27001 in order to protect information both internally and externally.
Main points that will be covered are:
• The scope of ISO 27001 & associated other standards references
• Information Security and ISIM Terminologies
• ISIM auditing principles
• Managing audit program & audit activities
Presenter:
Eng. Kefah El-Ghobbas is a specialist in ‘Business Process Excellence' through ‘Business Process Re-engineering' with over 20 years of experience.
Link of the recorded session published on YouTube: https://youtu.be/rTxA8PVULUs
Understanding this course help you have an idea on how the audit assessment is performed and where the focus lies. General controls take a large percentage of the entire Audit function and should be paid adequate attention during the session.
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB
The webinar covers:
• An overview of Cybersecurity
• Explaining of Cybersecurity Relationship with other types of security
• Guidance for addressing common Cybersecurity issues.
• Convincing stakeholders to collaborate on resolving Cybersecurity issues.
Presenter:
This webinar was presented by PECB Partner and Trainer Mr. Fabrice DePaepe, who is Managing Director at Nitroxis Sprl and has more than 15 years of experience in IT and Information Security.
Link of the recorded session published on YouTube: https://youtu.be/fQUSQEoLsYc
What is GRC – Governance, Risk and Compliance BOC Group
A simple guide to learn what Governance, Risk and Compliance (GRC) is all about, why it’s important and how you can use it to help drive enterprise objectives.
For more information visit: https://www.boc-group.com/governance-risk-and-compliance/
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500PECB
The webinar covers:
• Overview of description and principles of COBIT 5.0
• How COBIT is adopted by ISO/IEC 38500
• Complementary values that ISO 38500 and COBIT 5.0 bring to each other
• How companies can use this approach for maximum benefits
Presenter:
This webinar was presented by PECB Trainer Orlando Olumide Odejide, Chief Trainer for Training Heights Limited and an experienced Enterprise Architect.
Link of the recorded session published on YouTube: https://www.youtube.com/watch?v=lnrji3A6C0I
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Connector Corner: Automate dynamic content and events by pushing a button
CISA Training - Chapter 2 - 2016
1. 2016 CISA ® Review Course
Hafiz Sheikh Adnan Ahmed – CISA, COBIT 5, ISO 27001 LA
[PECB Certified Trainer]
2. Quick Reference Review
• IT Governance
• Governance of Enterprise IT
• Roles and Responsibilities of IT Steering Committee
• Governance of Information Security
• Risk Management
• Management Processes
• Segregation of duties
• Business Continuity & Disaster Recovery
3. 2.2. Corporate Governance
• A system by which business operations are directed and controlled
• A set of responsibilities and practices used by an organization’s management to provide
strategic direction, ensuring that goals are achievable, risks are properly addressed and
organizational resources are properly utilized
• A set of relationships between a company’s management, its board, its shareholders and
other stakeholders
• Provides a structure through which the objectives of the company are set, and the means
of attaining those objectives and monitoring performance are determined
4. 2.3. Governance of Enterprise IT (GEIT)
• GEIT implies a system in which all stakeholders provide input into a decision-
making process
• GEIT is the responsibility of board of directors and executive management
• Purpose is to direct IT endeavors to ensure that IT performance meets the
objectives of aligning IT with the enterprise’s objectives & the realization of
promised benefits
• A key element of GEIT is the alignment of business & IT
5. 2.3.1 Best practices for GEIT
• COBIT 5:
• A framework developed by ISACA to ensure that: IT is aligned with the business, IT enables the
business and maximizes benefits, IT resources are used responsibly, & IT risks are appropriately
managed.
• Provides tools to assess and measure performance of 37 processes
• ISO/IEC 27001:
• Provide guidance in implementing & maintaining information security programs
• ITIL:
• Deals with operational service management of IT
6. • IT Baseline Protection Catalogs:
• Documents for detecting and combating security weak points in IT environment. Over 3000
pages
• Information Security Management Maturity Model (ISM3):
• Process model for security.
• AS8015-2005:
• Australian standard for corporate governance of information & communication technology
• Later adopted as ISO/IEC 38500
• ISO/IEC 20000:
• Specification for IT Service Management, aligned with ITIL
7.
8.
9. Audit Role in GEIT
• Provide recommendations to senior management to help improve the quality & effectiveness of
the IT governance initiatives implemented
• Helps ensure compliance with GEIT initiatives
• Assess Enterprise Governance & GEIT are aligned
• Ensure alignment of IS function with organization’s mission, vision, values, objectives and strategies
• Ensure Legal, regulatory, environmental, security and privacy requirements
• The inherent risks within the IS environment
11. 2.3.3 IT Balanced Scorecard (BSC)
• A process management evaluation technique in assessing IT functions & processes
• Measures customer satisfaction, internal processes and the ability to innovate
• A three-layered structure in addressing 4 perspectives:
• Mission
• Strategies
• Measures
• Sources
• Most effective method to aid the IT strategy committee and management in achieving IT
governance through proper IT & business alignment
12.
13. 2.3.4 Information Security Governance
• IS Governance part of IT Governance
• Consists of:
• CIA of Information
• Continuity of services
• Protection of information assets
• Responsibility of Board of Directors and executive management
• Outcomes include:
• Strategic Alignment
• Risk management compliance
• Value delivery
14. Effective IS Governance
• IS Governance is a subset of corporate governance that provides strategic direction for security
activities and ensures that objectives are achieved
• Ensure IS risks are managed and enterprise resources are used responsibly
• To achieve effective IS governance, management to establish and maintain a framework to guide
the development & management of a comprehensive IS program that supports business objectives
• The framework includes, but is not limited to:
• A comprehensive security strategy linked with corporate strategy and business objectives
• Policies, procedures and guidelines
• An effective organizational security structure
• Monitoring processes to ensure compliance
15.
16. 2.3.5 Enterprise Architecture (EA)
• EA involves documenting and organization’s IT assets in a structured manner to facilitate
understanding, management and planning for IT investments
• Involves both a current state and an optimized future state representation
• The framework for EA, introduced by John Zachman
17. 2.4.1 Strategic Planning
• Long term direction an enterprise wants to take in leveraging IT for improving its business
processes
• Generally three to five years plan
• IS Steering Committee and Strategy Committee play a key role in in development &
implementation of plans
• IS auditor to pay full attention to the importance of IT strategic planning
• IS auditor must focus on the importance of strategic planning process
• IT strategic plans be synchronized with overall business strategy
18. 2.4.2 Steering Committee
• Oversee the IS functions and activities
• Committee includes representatives of Senior Management, business, departments, & IT
• Duties and responsibilities defined in a formal charter
• Not usually involved in operational activities
• Review long and short term plans of IS department to ensure they are aligned with corporate
objectives
• Approve and monitor major projects
• Review and approve major acquisitions
• Review adequacy of resources
19. 2.5. Maturity & Process Improvement Models
• Various models such as CMMI, IDEAL, COBIT
• COBIT PAM:
• A reference document for conducting capability assessments
• Aligned with ISO/IEC 15504-2
• Uses process capability and process performance indicators to determine process attributes
• IDEAL:
• Initiate, Diagnose, Establish, Act, Learn
• A process improvement program
20. 2.6. IT Investment & Allocation Practices
• IT’s value determined by the relationship between the costs and benefits
• The larger the benefit in relation to cost, the greater the value of IT project
• Implementation methods include:
• Risk profile analysis
• Diversification of projects
• Infrastructure and technologies
• Continuous alignment with business goals
• Continuous improvement
21. 2.7.1 Policies
• High-level documents that represent the corporate philosophy of the organization
• Must be clear and concise
• Divisions and departments may define their low-level policies
• Management to review policies periodically
• IS auditors to consider policies as part of the audit scope
• Ensure policies of the third parties or outsourcers are not in conflict with enterprise’s policies
22. Information Security Policy
• Security policy is the first step towards building the security infrastructure
• The cost of control should NOT exceed the expected benefit to be derived
• Must be approved by senior management
• The ISO/IEC 27001 standard may be considered as a benchmark for the content covered by IS
policy
• Definition of information security, objectives, scope, importance to the organization
• Alignment of Information security with business objectives and goals
• Brief explanation of policies and procedures and compliance requirements
• Roles and responsibilities of the personnel involved
• References to documentation which may support the policy
23. • IS policy to be communicated throughout the organization
• Must be accessible and understandable to the intended user
• Organizations may document IS policies as a set of policies. For example:
• High-level Information Security Policy
• Data Classification Policy
• Acceptable Use Policy
• End-User Computing Policy
• Access Control Policy
24. Acceptable Use Policy (AUP)
• Defines a set of guidelines how to use information system resources
• Explains acceptable computer use
• Must be clear and concise
• Clearly defines what sanctions will be applied if the user fails to comply with the AUP
• Compliance to be measured by regular audits
• Most common part of AUP is Acceptable Internet Usage Policy
25. Review of Information Security Policy
• Should be reviewed at planned intervals to ensure suitability, adequacy and effectiveness
• Review should include assessing opportunities for improvement to the organization’s IS policy
• To be reviewed by management while considering the feedback and inputs from:
• Stakeholders
• Interested parties
• Previous results of management reviews
• Trends related to threats and vulnerabilities
• Reported information security incidents
• Recommendations from relevant authorities
26. 2.7.2 Procedures
• Documented, defined steps for achieving policy objectives
• Must be derived from the parent policy
• Must be written in clear and concise manner and must be easily understood
• Document business processes and embedded controls
• More dynamic than respective parent policies
27. 2.8. Risk Management
• A process of identifying vulnerabilities and threats to the information resources used by an
organization in achieving business objectives and deciding what countermeasures to take in
reducing risk to an acceptable level (i.e. residual risk), based on the value of the information
resource to the organization
• Begins with the clear understanding of the organization’s appetite for risk
• RM includes identifying, analyzing, evaluating, treating, monitoring and communicating the impact
of risk on IT processes
29. 2.8.1 Developing a Risk Management Program
• Establish the purpose:
• Determine the purpose for creating the risk management program
• Define KPIs to determine the effectiveness
• Senior management, BODs, set the tone and goals for the Risk Management Program
• Assign responsibility for the RM plan:
• Designate a team or an individual responsible for developing and implementing the risk management
program
• Integrate Risk Management within all levels of the organization
30. 2.8.2 Risk Management Process
• The key management practices include:
• Collect data
• Analyze risk
• Maintain a risk profile
• Articulate risk
• Define a risk management action portfolio
• Respond to risk
31. • Threats: Any circumstance or event with the potential to cause harm to an information resource
• Errors, Malicious Damage, Fraud, Theft, Software Failure etc.
• Vulnerability: Characteristics of information resources that can be exploited by a threat or a harm
• Lack of user knowledge, Lack of security functionality, Untrusted technology etc.
• Impact: The result of a threat agent exploiting a vulnerability
• Direct loss of money, Breach of Legislation, Loss of Reputation etc.
• Risk: Probability of Occurrence * Magnitude of Impact
• Risk is proportional to estimated likelihood of the threat and the value of loss/damage
32. 2.8.3 Risk Analysis Methods
• Qualitative Analysis:
• Use word or descriptive rankings to describe impact or likelihood
• Simplest and most frequently used method
• Based on checklists and subjective risk ratings like High, Medium, Low
• Semi quantitative Analysis:
• Rankings are associated with numeric scale
• Normally used when it is not possible to utilize a quantitative method or to reduce subjectivity in qualitative
methods
• E.g. “High” may be given “5”; “Medium” may be given “3”; “Low” may be given “1”
• Quantitative Analysis:
• Use numeric values to describe impact or likelihood
• Usually performed during BIA
33. 2.9. Information Systems Management
Practices
• Reflect the implementation of policies and procedures developed for various IS-related
management activities
• Management activities to review the policy/procedure formulations and their effectiveness within
the IS department
34. 2.9.1 Human Resource Management
• HR management relates to organizational policies and procedures for:
• Recruiting
• Selecting
• Training
• Promoting staff
• Measuring staff performance, disciplining staff, success planning, and staff retention
• Termination
35. 2.9.2 Sourcing Practices
• Sourcing practices relate to the way in which the organization obtain the IS functions required to support the
business
• This may include:
• Insourced – Fully performed by organization’s staff
• Outsourced – Fully performed by the vendor’s staff
• Hybrid – Performed by a mix of organization’s and vendor’s staff
• IS functions can be performed across the globe:
• Onsite – Staff work onsite in the IS department
• Offsite – Also known as near-shore, staff work at a remote location in the same geographic location
• Offshore – Staff work in remote location in a different geographic location
36. • Reasons for Outsourcing:
• A desire to focus on core activities
• Pressure on profit margins
• Increasing competition that demands cost savings
• Flexibility with respect to both organizations and structure
• Enterprise to consider outsourcing provisions in the contracts including security clauses
37.
38. Industry Standards / Benchmarking /
Global Practices
• Organizations to adhere to a well-defined set of standards
• Legal, regulatory and tax issues
• Cross-Border and Cross-Cultural issues
• Telecommunication issues
39. Governance in Outsourcing
• Governance of outsourcing is the set of Roles and Responsibilities, objectives, interfaces, and controls
required to anticipate change
40. Service Delivery
• Service delivery by a third party includes agreed on security agreements, service definitions, and aspects of
service management
• Ensure agreed on service continuity levels are maintained following major service failures or disaster
41. Monitoring & Review ofThird-Party Services
• Monitor the services provided by third party
• Audits to be carried out regularly
• Ensure information security terms and conditions of the agreements are being adhered to and managed
properly
42. Cloud Governance
• Organization to maintain sufficient control and visibility into all security aspects for sensitive or critical
information
• Ensure to retain visibility in security activities such as change management, identification of vulnerabilities
and information security incident reporting
44. Service Improvement & User Satisfaction
• Organizations to set service improvement expectations into the contracts with associated penalties and
rewards
• Service improvements to be agreed on by users and IT with the goals of improving user satisfaction and
attaining business objectives
• Service improvements to be monitored by interviewing and surveying users
45. 2.9.3 Organizational Change Management
• Use a defined and documented process to identify and apply technology improvements at the infrastructure
and application level that are beneficial to the organization
• IS department is the focal point for such changes
46. 2.9.4 Financial Management Practices
• IS Budgets:
• Allows forecasting, monitoring and analyzing financial information
• Should be linked to short-and-long term IT plans
• Software Development:
• Accounting standards require to have a detailed understanding of development efforts
47. 2.9.5 Quality Management
• One of the means by which IT department-based processes are controlled, measured and improved
• Areas of control for quality management may include:
• Software development, maintenance and implementation
• Acquisition of hardware and software
• Day-to-day operations
• Service management
• Security
• HR
• Various standards to assist IS organizations in achieving quality
• Most prominent is ISO 9001:2008, Quality Management Systems
49. 2.9.7 Performance Optimization
• A process of improving information system productivity to the highest level possible without necessary,
additional investment in the IT infrastructure
• Critical Success Factors (CSF):
• Used to create and facilitate action to improve performance and GEIT
• Methodologies and Tools:
• Various improvement and optimization tools available. E.g. ITIL, COBIT, PDCA, Six Sigma etc.
51. 2.10.1 IS Roles and Responsibilities
• Organizational charts provide a clear definition of department’s hierarchy and authorities
• JDs, RACI charts, workflow diagrams provide IS department employees a more complete and clear direction
regarding their R&R
• IS auditor to observe and determine whether formal JDs and structures coincide with real ones and are
adequate
52. 2.10.2 Segregation of duties within IS
• Actual job titles and organizational structures vary greatly
• IS auditor to understand and determine the JDs, responsibilities and authorities, and assess the adequacy of
segregation of duties
• Duties to be segregated include, but is not limited to:
• Custody of assets
• Authorization
• Recording transactions
• When duties are segregated, access to computer, production, data library, production programs etc. are
limited, and potential damage from the actions of one person is reduced
• IS auditor to understand the risk of combining functions
53. 2.10.3 Segregation of duties controls
• Transaction Authorization:
• Responsibility of the user department
• Periodic checks to be performed to detect unauthorized entry of transactions
• Custody of Assets:
• Data owner is usually assigned
• Access to data:
• Controls include a combination of physical, logical, system, application security
• Authorization forms:
• Define the access rights of each individual
• Access privileges to be reviewed periodically to ensure they are current and match user’s job functions
54. Compensating Controls for lack of
Segregation of duties
• Compensating control measures must exist to mitigate the risk resulting from lack of segregation of duties
• Audit Trails:
• Provide a map to retrace the flow of transaction
• Reconciliation
• Exception Reporting
• Transaction logs
• Supervisory reviews
• Independent reviews
55. 2.11. Auditing IT Governance Structure and
Implementation
• Problems IS auditors may face when auditing IS function:
• Excessive Costs
• Late Projects
• Inexperienced staff
• Lack of adequate training
• Poor motivation
• Unfavorable end-user attitudes
56. 2.11.1 Reviewing Documentation
• Documents to be reviewed include:
• IT Strategies, plans and budgets
• Security policy documentation
• Organizational/functional charts
• Job descriptions
• Steering Committee reports
• System development and program change procedures
• Operations procedures
• HR manuals
57. 2.11.2 Reviewing Contractual Commitments
• In reviewing a sample of contracts, IS auditor to evaluate the following:
• Service levels
• Right to audit or third party audit reporting
• Software escrow
• Penalties for non-compliance
• Contract change process
• Contract termination and associated penalties
• Protection of customer information
58. 2.12. Business Continuity Planning
• Purpose of BC/DR is to enable a business to continue offering critical services in the event of a
disruption and to survive disastrous disruption to activities
• First step is to identify the business processes of strategic and critical importance
• Risk Assessment is conducted
• Business Impact Analysis (BIA) is performed
• Determine the maximum downtime possible for a particular application and how much data could be
lost
• BC/DR planning to address various aspects of business continuity and disaster recovery
• One ore more plans to support the integrated BC/DR strategy
59. 2.12.1 IS Business Continuity Planning
• IS BCP to be aligned with corporate BCP and support the overall strategy
• Periodically test BCP plan to ensure it is relevant and up to date
60. 2.12.2 Disasters & Other Disruptive Events
• Disasters are disruptions that cause critical information resources to be inoperative for a period of time,
adversely impacting organizational operations
• Could be few minutes to several months
• Reasons include:
• Natural calamities
• Expected services e.g. power failure, natural gas supply, telecommunications
• Human errors e.g. viruses, hacker attacks
61. Dealing with Damage to Image,
Reputation or Brand
• Rumors or negative public opinion can be costly
• Organization’s PR to play an important role in maintaining and improving the image, reputation of the
company
• Unanticipated/Unforeseeable Events
• Unforeseeable (black swan) events are those that are a surprise to the observer e.g. Storm in Abu Dhabi
63. 2.12.4 Business Continuity Policy
• Defines the scope and extent of the business continuity effort
• Should be proactive
• All possible controls to detect and prevent disruptions should be used
• Preventive and detective controls to reduce the likelihood of a disruption and corrective actions to mitigate
the consequences
66. 2.12.6 Business Impact Analysis (BIA)
• BIA to evaluate critical processes and to determine time frames, priorities, resources and interdependencies
• To perform BIA, one should obtain an understanding of the organization, key business processes
• Requires a high level of senior management support and extensive involvement of IT and end-user personnel
• Different approaches to perform BIA
• Questionnaire approach
• Interviews
• Group discussion and brainstorming
67. • Two important factors:
• RTO (Recovery Time Objective)
• RPO (Recovery Point Objective)
68. 2.12.7 Development of Business Continuity Plans
• Based on BIA and Risk Assessment, detailed BCP/DRP is developed
• Various factors to consider while developing/reviewing a plan:
• Evacuation procedures
• Incident response plan
• Procedures for declaring a disaster
• Roles and Responsibilities
• Step-by-step explanation of the recovery process
• Copies of the plan to be maintained offsite
69. 2.12.8 Other issues in Plan Development
• Management and user involvement is vital to the success of the execution of the BCP
• Three major divisions that require involvement in the formulation of BCP:
• Support services
• Business operations
• Information processing support
71. 2.12.10 PlanTesting
• Schedule BC tests at a time that will minimize disruptions to normal operations
• Address all critical components and simulate actual primetime processing conditions
• It must accomplish the following tasks:
• Verify the completeness and precision of BCP
• Evaluate the performance of the personnel involved
• Evaluate the coordination among the team, external vendors and suppliers
• Measure the overall performance of operational and IS processing activities related to maintaining the
business entity
72. • Test Execution phases:
• Pretest
• Test
• Posttest
• Business Continuity Management Best Practices:
• ISACA – COBIT
• BCI – Business Continuity Institute
• DRII – Disaster Recovery Institute International
73. 2.13. Auditing Business Continuity
• Auditor’s tasks include:
• Understanding & evaluating BC strategy and its connection to business objectives
• Reviewing the BIA findings to ensure that they reflect current business priorities and current
controls
• Evaluating RTO, RPO
• Evaluating offsite storage to ensure its adequacy
• Evaluating the ability of personnel to respond effectively in emergency situations
74. 2.13.1 Reviewing the Business Continuity Plan
• Review the documents
• Review the application(s) covered by the plan
• Review the business continuity team(s)
• Plan testing
75. 2.13.2 Evaluation of PriorTest Results
• BCP coordinator should maintain historical documentation of the results of prior BC tests
• IS auditor to review the results and determine whether corrective actions have been incorporated into the
plan
• Review to determine whether appropriate results were achieved
76. 2.13.3 Evaluation of Offsite Storage
• Evaluate to ensure presence, synchronization and currency of critical media and documentation
• Includes files, application software, systems software, backup media tapes, necessary supplies etc.
• Perform a detailed inventory review
77. 2.13.4 Interviewing key personnel
• IS auditor to interview key personnel required for the successful recovery of business operations
• To review and verify all key personnel have an understanding of their assigned responsibilities as well as
up-to-date detailed documentation describing their tasks
78. 2.13.5 Evaluation of security at Offsite Facility
• Evaluate to ensure that it has physical and environmental access controls
• Evaluate the security requirements of media transportation
80. 2.13.7 Reviewing Insurance Coverage
• Coverage for media damage, business interruption, equipment replacement and business continuity
processing should be reviewed for adequacy
81.
82.
83. Self-Assessment Questions
1. Which of the following would be included in an IS strategic plan?
a) Specifications for planned hardware purchases
b) Analysis of future business objectives
c) Target dates for development projects
d) Annual budgetary targets for the IS department
84. Self-Assessment Questions
2. What is considered the MOST critical element for the successful
implementation of an IS program?
a) An effective ERM framework
b) Senior management commitment
c) An adequate budgeting process
d) Meticulous program planning
85. Self-Assessment Questions
3. An IS auditor should ensure that IT governance performance measures:
a) Evaluate the activities of IT oversight committees
b) Provide strategic IT drivers
c) Adhere to regulatory reporting standards and definitions
d) Evaluate the IT department
86. Answers
1. (b) Analysis of future business objectives
2. (b) Senior management commitment
3. (a) Evaluate the activities of IT oversight committees