Professional Documents
Culture Documents
Chapter 2
Chapter 2
Chapter 2
Module 2
IT Governance
IT Governance
• High-level documents
• Represent the corporate philosophy of an organization
• Must be clear and concise to be effective
2.8.1 Policies (continued)
• Management should review all policies carefully
• Policies need to be updated to reflect new technology and
significant changes in business processes
• Policies formulated must enable achievement of business
objectives and implementation of IS controls
2.8.1 Policies (continued)
Information security policies
• Communicate a coherent security standard to users,
management and technical staff
• Must balance the level of control with the level of productivity
• Provide management the direction and support for
information security in accordance with business
requirements, relevant laws and regulations
2.8.1 Policies (continued)
• Data management
• Quality assurance manager
• Vendor and outsourcer management
• Operations manager
2.11.1 IS Roles and Responsibilities
(continued)
• Media management
• Data entry
• Systems administration
2.11.1 IS Roles and Responsibilities
(continued)
• Security administration
• Quality assurance
• Database administration
2.11.1 IS Roles and Responsibilities
(continued)
• Systems analyst
• Applications development and maintenance
• Infrastructure development and maintenance
• Network management
2.11.2 Segregation of
Duties Within IS
An IS auditor must:
• Evaluate presence, synchronization and currency of media
and documentation
• Perform a detailed inventory review
• Review all documentation
• Evaluate availability of facility
2.14.4 Interviewing Key Personnel
• Key personnel must have an understanding of their
responsibilities
• Current detailed documentation must be kept
2.14.5 Evaluation of Security at
Offsite Facility
An IS auditor must:
• Evaluate the physical and environmental access controls
• Examine the equipment for current inspection and calibration
tags
2.14.6 Reviewing Alternative
Processing Contract