2012 CISA Review Course

Module 2
IT Governance
 IT Governance

• IT governance, one or the domains of enterprise

governance, comprises the body of issues addressed
in considering how IT is applied within the
enterprise.
• Fundamentally, IT governance is concerned with two
issues: that IT delivers value to the business and that
IT risks are managed. The first is driven by strategic
alignment of IT with the business. The second is
driven by embedding accountability into the
enterprise.
 2.4.1 Best Practices for IT Governance
(continued)

IT governance has become significant due to:

• Business demands for better return from IT investments
• Concern over increasing level of IT expenditures
• Need to meet regulatory requirements for IT controls in areas
such as privacy and financial reporting.
• Selection of service providers and outsourcing.
• Complexity of network security
• Adoptions of control frameworks
• Benchmarking
 2.4.1 Best Practices for IT Governance
(continued)

Audit role in IT governance

• Audit plays a significant role in the successful
implementation of IT governance within an organization
• Reporting on IT governance involves auditing at the
highest level in the organization and may cross division,
functional or departmental boundaries
 2.4.2 IT Strategy Committee
• The creation of an IT strategy committee is an industry best
practice
• Committee should broaden its scope to include not only
advice on strategy when assisting the board in its IT
governance responsibilities, but also to focus on IT value, risks
and performance
 2.4.4 Information
Security Governance
• Focused activity with specific value drivers
– Confidentiality , Integrity and Availability of information
– Continuity of services
– Protection of information assets
• Integral part of IT governance
• Importance of information security governance
 2.4.4 Information Security
Governance (continued)

Importance of information security

governance
• Information security (Infosec) covers all information processes,
physical and electronic, regardless of whether they involve
people and technology or relationships with trading partners,
customers and third parties.
• Infosec is concerned with all aspects of information and its
protection at all points of its life cycle within the organization.
 2.3.4 Information Security
Governance (continued)
Effective information security can add significant value
to an organization by:
• Providing greater reliance on interactions with trading
partners
• Improving trust in customer relationships
• Protecting the organization’s reputation
• Enabling new and better ways to process electronic
transactions
 2.4.4 Information Security
Governance (continued)

Information security governance requires

strategic direction and impetus from:
• Boards of directors / senior management
• Executive management
• Steering committees
• Chief information security officers
 2.4.5 Enterprise Architecture

• Involves documenting an organization’s IT assets in a

structured manner to facilitate understanding, management
and planning for IT investments
 2.5.1 Strategic Planning
• From an IS standpoint, strategic planning relates to the
long-term direction an organization wants to take in
leveraging information technology for improving its
business processes
• Effective IT strategic planning involves a consideration of
the organization’s demand for IT and its IT supply capacity
 2.5.1 Strategic Planning
(continued)

• The IS auditor should pay attention to the importance of IT

strategic planning
• Focus on the importance of a strategic planning process or
planning framework
• Consider how the CIO or senior IT management are
involved in the creation of the overall business strategy
 2.5.2 Steering Committee
• An organization’s senior management should appoint a
planning or steering committee to oversee the IS function and
its activities
• A high-level steering committee for information technology is
an important factor in ensuring that the IS department is in
harmony with the corporate mission and objectives
 2.8.1 Policies

• High-level documents
• Represent the corporate philosophy of an organization
• Must be clear and concise to be effective
 2.8.1 Policies (continued)
• Management should review all policies carefully
• Policies need to be updated to reflect new technology and
significant changes in business processes
• Policies formulated must enable achievement of business
objectives and implementation of IS controls
 2.8.1 Policies (continued)
Information security policies
• Communicate a coherent security standard to users,
management and technical staff
• Must balance the level of control with the level of productivity
• Provide management the direction and support for
information security in accordance with business
requirements, relevant laws and regulations
 2.8.1 Policies (continued)

Information security policy document

• Definition of information security
• Statement of management intent
• Framework for setting control objectives
• Brief explanation of security policies
• Definition of responsibilities
• References to documentation
 2.8.1 Policies (continued)

Policy groups to be addressed

• High-level information security policy
• Data classification policy
• Acceptable usage policy
• End user computing policy
• Access control policies
 2.8.1 Policies (continued)
Review of the information security policy
document
• Should be reviewed at planned intervals or when significant
changes occur to ensure its continuing suitability, adequacy
and effectiveness
• Should have an owner who has approved management
responsibility for the development, review and evaluation of
the security policy
• Review should include assessing opportunities for
improvement to the organization’s information security policy
 2.8.2 Procedures

Procedures are detailed documents that:

• Define and document implementation policies
• Must be derived from the parent policy
• Must implement the spirit (intent) of the policy statement
• Must be written in a clear and concise manner
 2.9 Risk Management

The process of identifying vulnerabilities and threats to

the information resources used by an organization in
achieving business objectives
 2.9.1 Developing a Risk Management
Program

To develop a risk management program:

• Establish the purpose of the risk management program
• Assign responsibility for the risk management plan
 2.9.2 Risk Management Process
• Identification and classification of information resources
or assets that need protection
• Assess threats and vulnerabilities and the likelihood of
their occurrence
• Once the elements of risk have been established they are
combined to form an overall view of risk
 2.10.1 HR Management
• Hiring
• Employee handbook
• Promotion policies
• Training
• Scheduling and time reporting
• Employee performance evaluations
• Required vacations
• Termination policies
 2.10.2 Sourcing Practices
• Sourcing practices relate to the way an organization
obtains the IS function required to support the business
• Organizations can perform all IS functions in-house or
outsource all functions across the globe
• Sourcing strategy should consider each IS function and
determine which approach allows the IS function to meet
the organization’s goals
 2.10.3 Organizational
Change Management

What is change management?

• Managing IT changes for the organization
– Identify and apply technology improvements at the
infrastructure and application level
2.10.4 FINANCIAL MANAGEMENT PRACTICES

What is financial management?

• Financial management is a critical element of all
business functions In a cost-intensive computer
environment, it is imperative that sound financial
management practices are in place.
 2.10.5 Quality Management
• Software development, maintenance and implementation
• Acquisition of hardware and software
• Day-to-day operations
• Service management
• Security
• Human resource management
• General administration
 2.10.7 Performance Optimization
• Process driven by performance indicators
• Optimization refers to the process of improving the
productivity of information systems to the highest level
possible without unnecessary, additional investment in
the IT infrastructure
2.11 IS Organizational Structure
and Responsibilities
2.11.1 IS Roles and Responsibilities

• Systems development manager

• Help desk
• End user
• End user support manager
 2.11.1 IS Roles and Responsibilities
(continued)

• Data management
• Quality assurance manager
• Vendor and outsourcer management
• Operations manager
 2.11.1 IS Roles and Responsibilities
(continued)

• Media management
• Data entry
• Systems administration
 2.11.1 IS Roles and Responsibilities
(continued)

• Security administration
• Quality assurance
• Database administration
 2.11.1 IS Roles and Responsibilities
(continued)

• Systems analyst
• Applications development and maintenance
• Infrastructure development and maintenance
• Network management
 2.11.2 Segregation of
Duties Within IS

• Avoids possibility of errors or misappropriations

• Discourages fraudulent acts
• Limits access to data
 2.11.3 Segregation of Duties Controls

Control measures to enforce segregation of

duties include:
• Transaction authorization
• Custody of assets
• Access to data
– Authorization forms
– User authorization tables
 2.11.3 Segregation of Duties
Controls (continued)

Compensating controls for lack of segregation

of duties include:
• Audit trails
• Reconciliation
• Exception reporting
• Transaction logs
• Supervisory reviews
• Independent reviews
 2.12 Auditing IT Governance
Structure and Implementation

Indicators of potential problems include:

• Unfavorable end-user attitudes
• Excessive costs
• Budget overruns
• Late projects
• High staff turnover
• Inexperienced staff
• Frequent hardware/software errors
 2.12.1 Reviewing Documentation
The following documents should be reviewed:
• IT strategies, plans and budgets
• Security policy documentation
• Organization/functional charts
• Job descriptions
• Steering committee reports
• System development and program change procedures
• Operations procedures
• Human resource manuals
• Quality assurance procedures
2.13 Business Continuity Planning

• Business continuity planning (BCP) is a process designed to

reduce the organization’s business risk
• A BCP is much more than just a plan for the information
systems
 2.13 Business Continuity Planning (Continued)

Corporate risks could cause an organization to

suffer
• Inability to maintain critical customer services
• Damage to market share, reputation or brand
• Failure to protect the company assets including intellectual
properties and personnel
• Business control failure
• Failure to meet legal or regulatory requirements
 6.13.1 IS Business Continuity

IS processing is of strategic importance

• Critical component of overall BCP
• Most key business processes depend on the availability of key
systems and infrastructure components
6.13.2 Disasters and Other Disruptive Events

• Disasters are disruptions that cause critical information

resources to be inoperative for a period of time
• Good BCP will take into account impacts on IS processing
facilities
 6.13.3 Business Continuity
Planning Process

Phases of the business continuity planning process

• Creation of a business continuity and disaster recovery policy
• Business impact analysis
• Classification of operations and criticality analysis
• Development of a business continuity plan and disaster recovery
procedures
• Training and awareness program
• Testing and implementation of plan
• Monitoring
 2.13.4 Business Continuity Policy

• A business continuity policy is a document approved

by top management that defines the extent and
scope or the business continuity effort (a project or
an ongoing program) within the organization.
 6.13.5 Business Continuity Planning
Incident Management

All types of incidents should be categorized

• Negligible
• Minor
• Major
• Crisis
 6.13.6 Business Impact Analysis
• Critical step in developing the business continuity plan
• Three main questions to consider during BIA phase:
1. What are the different business processes?
2. What are the critical information resources related to an
organization’s critical business processes?
3. What is the critical recovery time period for information resources
in which business processing must be resumed before significant
or unacceptable losses are suffered?
6.13.9 Components of a Business Continuity
Plan
A business continuity plan may consist of more
than one plan document
• Continuity of operations plan (COOP)
• Disaster recovery plan (DRP)
• Business resumption plan
• Continuity of support plan / IT contingency plan
• Crisis communications plan
• Incident response plan
• Transportation plan
• Occupant emergency plan (OEP)
6.13.9 Components of a Business Continuity
Plan (continued)
Components of the plan
• Key decision-making personnel
• Backup of required supplies
• Telecommunication networks disaster recovery methods
• Insurance
 6.13.10 Plan Testing
• Schedule testing at a time that will
minimize disruptions to normal
operations
• Test must simulate actual processing
conditions
• Test execution:
– Documentation of results
– Results analysis
– Recovery / continuity plan maintenance
6.13.11 Summary of Business Continuity and
Disaster Recovery

• Business continuity plan must:

– Be based on the long-range IT plan
– Comply with the overall business continuity strategy
6.13.11 Summary of Business Continuity and
Disaster Recovery (continued)

• Process for developing and maintaining the BCP/DRP

– Business impact analysis
– Identify and prioritize systems
– Choose appropriate strategies
– Develop the detailed plan for IS facilities
– Develop the detailed BCP
– Test the plans
– Maintain the plans
2.14 Auditing Business Continuity

• Understand and evaluate business continuity strategy

• Evaluate plans for accuracy and adequacy
• Verify plan effectiveness
• Evaluate offsite storage
• Evaluate ability of IS and user personnel to respond
effectively
• Ensure plan maintenance is in place
• Evaluate readability of business continuity manuals and
procedures
 2.14.1 Reviewing the Business
Continuity Plan

IS auditors should verify that basic elements of a

well-developed plan are evident including:
• Currency of documents
• Effectiveness of documents
• Interview personnel for appropriateness and completeness
 2.14.2 Evaluation of Prior
Test Results

IS auditors must review the test results to:

• Determine whether corrective actions are in the plan
• Evaluate thoroughness and accuracy
• Determine problem trends and resolution of problems
 2.14.3 Evaluation of Offsite Storage

An IS auditor must:
• Evaluate presence, synchronization and currency of media
and documentation
• Perform a detailed inventory review
• Review all documentation
• Evaluate availability of facility
 2.14.4 Interviewing Key Personnel
• Key personnel must have an understanding of their
responsibilities
• Current detailed documentation must be kept
 2.14.5 Evaluation of Security at
Offsite Facility

An IS auditor must:
• Evaluate the physical and environmental access controls
• Examine the equipment for current inspection and calibration
tags
 2.14.6 Reviewing Alternative
Processing Contract

• An IS auditor should obtain a copy of the

contract with the vendor
• The contract should be reviewed against a
number of guidelines
– Contract is clear and understandable
– Organization’s agreement with the rules
 2.14.7 Reviewing Insurance Coverage

• Insurance coverage must reflect actual cost of

recovery
• Coverage of the following must be reviewed
for adequacy
– Media damage
– Business interruption
– Equipment replacement
– Business continuity processing