This document provides an overview of topics covered in a CISA review course, including IT governance, corporate governance, governance of enterprise IT, risk management, information security management practices, auditing IT governance structure and implementation, and business continuity planning. The document defines key concepts, best practices, standards, and approaches for each topic. It also outlines the roles and responsibilities of various committees, policies, procedures, and other elements involved in effectively governing enterprise IT.

1. 2016 CISA ® Review Course
Hafiz Sheikh Adnan Ahmed – CISA, COBIT 5, ISO 27001 LA
[PECB Certified Trainer]

2. Quick Reference Review
• IT Governance
• Governance of Enterprise IT
• Roles and Responsibilities of IT Steering Committee
• Governance of Information Security
• Risk Management
• Management Processes
• Segregation of duties
• Business Continuity & Disaster Recovery

3. 2.2. Corporate Governance
• A system by which business operations are directed and controlled
• A set of responsibilities and practices used by an organization’s management to provide
strategic direction, ensuring that goals are achievable, risks are properly addressed and
organizational resources are properly utilized
• A set of relationships between a company’s management, its board, its shareholders and
other stakeholders
• Provides a structure through which the objectives of the company are set, and the means
of attaining those objectives and monitoring performance are determined

4. 2.3. Governance of Enterprise IT (GEIT)
• GEIT implies a system in which all stakeholders provide input into a decision-
making process
• GEIT is the responsibility of board of directors and executive management
• Purpose is to direct IT endeavors to ensure that IT performance meets the
objectives of aligning IT with the enterprise’s objectives & the realization of
promised benefits
• A key element of GEIT is the alignment of business & IT

5. 2.3.1 Best practices for GEIT
• COBIT 5:
• A framework developed by ISACA to ensure that: IT is aligned with the business, IT enables the
business and maximizes benefits, IT resources are used responsibly, & IT risks are appropriately
managed.
• Provides tools to assess and measure performance of 37 processes
• ISO/IEC 27001:
• Provide guidance in implementing & maintaining information security programs
• ITIL:
• Deals with operational service management of IT

6. • IT Baseline Protection Catalogs:
• Documents for detecting and combating security weak points in IT environment. Over 3000
pages
• Information Security Management Maturity Model (ISM3):
• Process model for security.
• AS8015-2005:
• Australian standard for corporate governance of information & communication technology
• Later adopted as ISO/IEC 38500
• ISO/IEC 20000:
• Specification for IT Service Management, aligned with ITIL

9. Audit Role in GEIT
• Provide recommendations to senior management to help improve the quality & effectiveness of
the IT governance initiatives implemented
• Helps ensure compliance with GEIT initiatives
• Assess Enterprise Governance & GEIT are aligned
• Ensure alignment of IS function with organization’s mission, vision, values, objectives and strategies
• Ensure Legal, regulatory, environmental, security and privacy requirements
• The inherent risks within the IS environment

10. 2.3.2 IT Governing Committees

11. 2.3.3 IT Balanced Scorecard (BSC)
• A process management evaluation technique in assessing IT functions & processes
• Measures customer satisfaction, internal processes and the ability to innovate
• A three-layered structure in addressing 4 perspectives:
• Mission
• Strategies
• Measures
• Sources
• Most effective method to aid the IT strategy committee and management in achieving IT
governance through proper IT & business alignment

13. 2.3.4 Information Security Governance
• IS Governance part of IT Governance
• Consists of:
• CIA of Information
• Continuity of services
• Protection of information assets
• Responsibility of Board of Directors and executive management
• Outcomes include:
• Strategic Alignment
• Risk management compliance
• Value delivery

14. Effective IS Governance
• IS Governance is a subset of corporate governance that provides strategic direction for security
activities and ensures that objectives are achieved
• Ensure IS risks are managed and enterprise resources are used responsibly
• To achieve effective IS governance, management to establish and maintain a framework to guide
the development & management of a comprehensive IS program that supports business objectives
• The framework includes, but is not limited to:
• A comprehensive security strategy linked with corporate strategy and business objectives
• Policies, procedures and guidelines
• An effective organizational security structure
• Monitoring processes to ensure compliance

16. 2.3.5 Enterprise Architecture (EA)
• EA involves documenting and organization’s IT assets in a structured manner to facilitate
understanding, management and planning for IT investments
• Involves both a current state and an optimized future state representation
• The framework for EA, introduced by John Zachman

17. 2.4.1 Strategic Planning
• Long term direction an enterprise wants to take in leveraging IT for improving its business
processes
• Generally three to five years plan
• IS Steering Committee and Strategy Committee play a key role in in development &
implementation of plans
• IS auditor to pay full attention to the importance of IT strategic planning
• IS auditor must focus on the importance of strategic planning process
• IT strategic plans be synchronized with overall business strategy

18. 2.4.2 Steering Committee
• Oversee the IS functions and activities
• Committee includes representatives of Senior Management, business, departments, & IT
• Duties and responsibilities defined in a formal charter
• Not usually involved in operational activities
• Review long and short term plans of IS department to ensure they are aligned with corporate
objectives
• Approve and monitor major projects
• Review and approve major acquisitions
• Review adequacy of resources

19. 2.5. Maturity & Process Improvement Models
• Various models such as CMMI, IDEAL, COBIT
• COBIT PAM:
• A reference document for conducting capability assessments
• Aligned with ISO/IEC 15504-2
• Uses process capability and process performance indicators to determine process attributes
• IDEAL:
• Initiate, Diagnose, Establish, Act, Learn
• A process improvement program

20. 2.6. IT Investment & Allocation Practices
• IT’s value determined by the relationship between the costs and benefits
• The larger the benefit in relation to cost, the greater the value of IT project
• Implementation methods include:
• Risk profile analysis
• Diversification of projects
• Infrastructure and technologies
• Continuous alignment with business goals
• Continuous improvement

21. 2.7.1 Policies
• High-level documents that represent the corporate philosophy of the organization
• Must be clear and concise
• Divisions and departments may define their low-level policies
• Management to review policies periodically
• IS auditors to consider policies as part of the audit scope
• Ensure policies of the third parties or outsourcers are not in conflict with enterprise’s policies

22. Information Security Policy
• Security policy is the first step towards building the security infrastructure
• The cost of control should NOT exceed the expected benefit to be derived
• Must be approved by senior management
• The ISO/IEC 27001 standard may be considered as a benchmark for the content covered by IS
policy
• Definition of information security, objectives, scope, importance to the organization
• Alignment of Information security with business objectives and goals
• Brief explanation of policies and procedures and compliance requirements
• Roles and responsibilities of the personnel involved
• References to documentation which may support the policy

23. • IS policy to be communicated throughout the organization
• Must be accessible and understandable to the intended user
• Organizations may document IS policies as a set of policies. For example:
• High-level Information Security Policy
• Data Classification Policy
• Acceptable Use Policy
• End-User Computing Policy
• Access Control Policy

24. Acceptable Use Policy (AUP)
• Defines a set of guidelines how to use information system resources
• Explains acceptable computer use
• Must be clear and concise
• Clearly defines what sanctions will be applied if the user fails to comply with the AUP
• Compliance to be measured by regular audits
• Most common part of AUP is Acceptable Internet Usage Policy

25. Review of Information Security Policy
• Should be reviewed at planned intervals to ensure suitability, adequacy and effectiveness
• Review should include assessing opportunities for improvement to the organization’s IS policy
• To be reviewed by management while considering the feedback and inputs from:
• Stakeholders
• Interested parties
• Previous results of management reviews
• Trends related to threats and vulnerabilities
• Reported information security incidents
• Recommendations from relevant authorities

26. 2.7.2 Procedures
• Documented, defined steps for achieving policy objectives
• Must be derived from the parent policy
• Must be written in clear and concise manner and must be easily understood
• Document business processes and embedded controls
• More dynamic than respective parent policies

27. 2.8. Risk Management
• A process of identifying vulnerabilities and threats to the information resources used by an
organization in achieving business objectives and deciding what countermeasures to take in
reducing risk to an acceptable level (i.e. residual risk), based on the value of the information
resource to the organization
• Begins with the clear understanding of the organization’s appetite for risk
• RM includes identifying, analyzing, evaluating, treating, monitoring and communicating the impact
of risk on IT processes

28. • Risk treatment includes:

29. 2.8.1 Developing a Risk Management Program
• Establish the purpose:
• Determine the purpose for creating the risk management program
• Define KPIs to determine the effectiveness
• Senior management, BODs, set the tone and goals for the Risk Management Program
• Assign responsibility for the RM plan:
• Designate a team or an individual responsible for developing and implementing the risk management
program
• Integrate Risk Management within all levels of the organization

30. 2.8.2 Risk Management Process
• The key management practices include:
• Collect data
• Analyze risk
• Maintain a risk profile
• Articulate risk
• Define a risk management action portfolio
• Respond to risk

31. • Threats: Any circumstance or event with the potential to cause harm to an information resource
• Errors, Malicious Damage, Fraud, Theft, Software Failure etc.
• Vulnerability: Characteristics of information resources that can be exploited by a threat or a harm
• Lack of user knowledge, Lack of security functionality, Untrusted technology etc.
• Impact: The result of a threat agent exploiting a vulnerability
• Direct loss of money, Breach of Legislation, Loss of Reputation etc.
• Risk: Probability of Occurrence * Magnitude of Impact
• Risk is proportional to estimated likelihood of the threat and the value of loss/damage

32. 2.8.3 Risk Analysis Methods
• Qualitative Analysis:
• Use word or descriptive rankings to describe impact or likelihood
• Simplest and most frequently used method
• Based on checklists and subjective risk ratings like High, Medium, Low
• Semi quantitative Analysis:
• Rankings are associated with numeric scale
• Normally used when it is not possible to utilize a quantitative method or to reduce subjectivity in qualitative
methods
• E.g. “High” may be given “5”; “Medium” may be given “3”; “Low” may be given “1”
• Quantitative Analysis:
• Use numeric values to describe impact or likelihood
• Usually performed during BIA

33. 2.9. Information Systems Management
Practices
• Reflect the implementation of policies and procedures developed for various IS-related
management activities
• Management activities to review the policy/procedure formulations and their effectiveness within
the IS department

34. 2.9.1 Human Resource Management
• HR management relates to organizational policies and procedures for:
• Recruiting
• Selecting
• Training
• Promoting staff
• Measuring staff performance, disciplining staff, success planning, and staff retention
• Termination

35. 2.9.2 Sourcing Practices
• Sourcing practices relate to the way in which the organization obtain the IS functions required to support the
business
• This may include:
• Insourced – Fully performed by organization’s staff
• Outsourced – Fully performed by the vendor’s staff
• Hybrid – Performed by a mix of organization’s and vendor’s staff
• IS functions can be performed across the globe:
• Onsite – Staff work onsite in the IS department
• Offsite – Also known as near-shore, staff work at a remote location in the same geographic location
• Offshore – Staff work in remote location in a different geographic location

36. • Reasons for Outsourcing:
• A desire to focus on core activities
• Pressure on profit margins
• Increasing competition that demands cost savings
• Flexibility with respect to both organizations and structure
• Enterprise to consider outsourcing provisions in the contracts including security clauses

38. Industry Standards / Benchmarking /
Global Practices
• Organizations to adhere to a well-defined set of standards
• Legal, regulatory and tax issues
• Cross-Border and Cross-Cultural issues
• Telecommunication issues

39. Governance in Outsourcing
• Governance of outsourcing is the set of Roles and Responsibilities, objectives, interfaces, and controls
required to anticipate change

40. Service Delivery
• Service delivery by a third party includes agreed on security agreements, service definitions, and aspects of
service management
• Ensure agreed on service continuity levels are maintained following major service failures or disaster

41. Monitoring & Review ofThird-Party Services
• Monitor the services provided by third party
• Audits to be carried out regularly
• Ensure information security terms and conditions of the agreements are being adhered to and managed
properly

42. Cloud Governance
• Organization to maintain sufficient control and visibility into all security aspects for sensitive or critical
information
• Ensure to retain visibility in security activities such as change management, identification of vulnerabilities
and information security incident reporting

43. Managing Changes toThird-Party Services

44. Service Improvement & User Satisfaction
• Organizations to set service improvement expectations into the contracts with associated penalties and
rewards
• Service improvements to be agreed on by users and IT with the goals of improving user satisfaction and
attaining business objectives
• Service improvements to be monitored by interviewing and surveying users

45. 2.9.3 Organizational Change Management
• Use a defined and documented process to identify and apply technology improvements at the infrastructure
and application level that are beneficial to the organization
• IS department is the focal point for such changes

46. 2.9.4 Financial Management Practices
• IS Budgets:
• Allows forecasting, monitoring and analyzing financial information
• Should be linked to short-and-long term IT plans
• Software Development:
• Accounting standards require to have a detailed understanding of development efforts

47. 2.9.5 Quality Management
• One of the means by which IT department-based processes are controlled, measured and improved
• Areas of control for quality management may include:
• Software development, maintenance and implementation
• Acquisition of hardware and software
• Day-to-day operations
• Service management
• Security
• HR
• Various standards to assist IS organizations in achieving quality
• Most prominent is ISO 9001:2008, Quality Management Systems

48. 2.9.6 Information Security Management
• Includes BIA, BCP & DRP
• Major component is risk management

49. 2.9.7 Performance Optimization
• A process of improving information system productivity to the highest level possible without necessary,
additional investment in the IT infrastructure
• Critical Success Factors (CSF):
• Used to create and facilitate action to improve performance and GEIT
• Methodologies and Tools:
• Various improvement and optimization tools available. E.g. ITIL, COBIT, PDCA, Six Sigma etc.

50. 2.10. IS Organizational Structure &
Responsibilities

51. 2.10.1 IS Roles and Responsibilities
• Organizational charts provide a clear definition of department’s hierarchy and authorities
• JDs, RACI charts, workflow diagrams provide IS department employees a more complete and clear direction
regarding their R&R
• IS auditor to observe and determine whether formal JDs and structures coincide with real ones and are
adequate

52. 2.10.2 Segregation of duties within IS
• Actual job titles and organizational structures vary greatly
• IS auditor to understand and determine the JDs, responsibilities and authorities, and assess the adequacy of
segregation of duties
• Duties to be segregated include, but is not limited to:
• Custody of assets
• Authorization
• Recording transactions
• When duties are segregated, access to computer, production, data library, production programs etc. are
limited, and potential damage from the actions of one person is reduced
• IS auditor to understand the risk of combining functions

53. 2.10.3 Segregation of duties controls
• Transaction Authorization:
• Responsibility of the user department
• Periodic checks to be performed to detect unauthorized entry of transactions
• Custody of Assets:
• Data owner is usually assigned
• Access to data:
• Controls include a combination of physical, logical, system, application security
• Authorization forms:
• Define the access rights of each individual
• Access privileges to be reviewed periodically to ensure they are current and match user’s job functions

54. Compensating Controls for lack of
Segregation of duties
• Compensating control measures must exist to mitigate the risk resulting from lack of segregation of duties
• Audit Trails:
• Provide a map to retrace the flow of transaction
• Reconciliation
• Exception Reporting
• Transaction logs
• Supervisory reviews
• Independent reviews

55. 2.11. Auditing IT Governance Structure and
Implementation
• Problems IS auditors may face when auditing IS function:
• Excessive Costs
• Late Projects
• Inexperienced staff
• Lack of adequate training
• Poor motivation
• Unfavorable end-user attitudes

56. 2.11.1 Reviewing Documentation
• Documents to be reviewed include:
• IT Strategies, plans and budgets
• Security policy documentation
• Organizational/functional charts
• Job descriptions
• Steering Committee reports
• System development and program change procedures
• Operations procedures
• HR manuals

57. 2.11.2 Reviewing Contractual Commitments
• In reviewing a sample of contracts, IS auditor to evaluate the following:
• Service levels
• Right to audit or third party audit reporting
• Software escrow
• Penalties for non-compliance
• Contract change process
• Contract termination and associated penalties
• Protection of customer information

58. 2.12. Business Continuity Planning
• Purpose of BC/DR is to enable a business to continue offering critical services in the event of a
disruption and to survive disastrous disruption to activities
• First step is to identify the business processes of strategic and critical importance
• Risk Assessment is conducted
• Business Impact Analysis (BIA) is performed
• Determine the maximum downtime possible for a particular application and how much data could be
lost
• BC/DR planning to address various aspects of business continuity and disaster recovery
• One ore more plans to support the integrated BC/DR strategy

59. 2.12.1 IS Business Continuity Planning
• IS BCP to be aligned with corporate BCP and support the overall strategy
• Periodically test BCP plan to ensure it is relevant and up to date

60. 2.12.2 Disasters & Other Disruptive Events
• Disasters are disruptions that cause critical information resources to be inoperative for a period of time,
adversely impacting organizational operations
• Could be few minutes to several months
• Reasons include:
• Natural calamities
• Expected services e.g. power failure, natural gas supply, telecommunications
• Human errors e.g. viruses, hacker attacks

61. Dealing with Damage to Image,
Reputation or Brand
• Rumors or negative public opinion can be costly
• Organization’s PR to play an important role in maintaining and improving the image, reputation of the
company
• Unanticipated/Unforeseeable Events
• Unforeseeable (black swan) events are those that are a surprise to the observer e.g. Storm in Abu Dhabi

62. 2.12.3 Business Continuity Planning Process

63. 2.12.4 Business Continuity Policy
• Defines the scope and extent of the business continuity effort
• Should be proactive
• All possible controls to detect and prevent disruptions should be used
• Preventive and detective controls to reduce the likelihood of a disruption and corrective actions to mitigate
the consequences

65. 2.12.5 BCP Incident Management

66. 2.12.6 Business Impact Analysis (BIA)
• BIA to evaluate critical processes and to determine time frames, priorities, resources and interdependencies
• To perform BIA, one should obtain an understanding of the organization, key business processes
• Requires a high level of senior management support and extensive involvement of IT and end-user personnel
• Different approaches to perform BIA
• Questionnaire approach
• Interviews
• Group discussion and brainstorming

67. • Two important factors:
• RTO (Recovery Time Objective)
• RPO (Recovery Point Objective)

68. 2.12.7 Development of Business Continuity Plans
• Based on BIA and Risk Assessment, detailed BCP/DRP is developed
• Various factors to consider while developing/reviewing a plan:
• Evacuation procedures
• Incident response plan
• Procedures for declaring a disaster
• Roles and Responsibilities
• Step-by-step explanation of the recovery process
• Copies of the plan to be maintained offsite

69. 2.12.8 Other issues in Plan Development
• Management and user involvement is vital to the success of the execution of the BCP
• Three major divisions that require involvement in the formulation of BCP:
• Support services
• Business operations
• Information processing support

70. 2.12.9 Components of a BC Plan

71. 2.12.10 PlanTesting
• Schedule BC tests at a time that will minimize disruptions to normal operations
• Address all critical components and simulate actual primetime processing conditions
• It must accomplish the following tasks:
• Verify the completeness and precision of BCP
• Evaluate the performance of the personnel involved
• Evaluate the coordination among the team, external vendors and suppliers
• Measure the overall performance of operational and IS processing activities related to maintaining the
business entity

72. • Test Execution phases:
• Pretest
• Test
• Posttest
• Business Continuity Management Best Practices:
• ISACA – COBIT
• BCI – Business Continuity Institute
• DRII – Disaster Recovery Institute International

73. 2.13. Auditing Business Continuity
• Auditor’s tasks include:
• Understanding & evaluating BC strategy and its connection to business objectives
• Reviewing the BIA findings to ensure that they reflect current business priorities and current
controls
• Evaluating RTO, RPO
• Evaluating offsite storage to ensure its adequacy
• Evaluating the ability of personnel to respond effectively in emergency situations

74. 2.13.1 Reviewing the Business Continuity Plan
• Review the documents
• Review the application(s) covered by the plan
• Review the business continuity team(s)
• Plan testing

75. 2.13.2 Evaluation of PriorTest Results
• BCP coordinator should maintain historical documentation of the results of prior BC tests
• IS auditor to review the results and determine whether corrective actions have been incorporated into the
plan
• Review to determine whether appropriate results were achieved

76. 2.13.3 Evaluation of Offsite Storage
• Evaluate to ensure presence, synchronization and currency of critical media and documentation
• Includes files, application software, systems software, backup media tapes, necessary supplies etc.
• Perform a detailed inventory review

77. 2.13.4 Interviewing key personnel
• IS auditor to interview key personnel required for the successful recovery of business operations
• To review and verify all key personnel have an understanding of their assigned responsibilities as well as
up-to-date detailed documentation describing their tasks

78. 2.13.5 Evaluation of security at Offsite Facility
• Evaluate to ensure that it has physical and environmental access controls
• Evaluate the security requirements of media transportation

79. 2.13.6 Reviewing Alternative Processing Contract

80. 2.13.7 Reviewing Insurance Coverage
• Coverage for media damage, business interruption, equipment replacement and business continuity
processing should be reviewed for adequacy

83. Self-Assessment Questions
1. Which of the following would be included in an IS strategic plan?
a) Specifications for planned hardware purchases
b) Analysis of future business objectives
c) Target dates for development projects
d) Annual budgetary targets for the IS department

84. Self-Assessment Questions
2. What is considered the MOST critical element for the successful
implementation of an IS program?
a) An effective ERM framework
b) Senior management commitment
c) An adequate budgeting process
d) Meticulous program planning

85. Self-Assessment Questions
3. An IS auditor should ensure that IT governance performance measures:
a) Evaluate the activities of IT oversight committees
b) Provide strategic IT drivers
c) Adhere to regulatory reporting standards and definitions
d) Evaluate the IT department

86. Answers
1. (b) Analysis of future business objectives
2. (b) Senior management commitment
3. (a) Evaluate the activities of IT oversight committees