Escolar Documentos
Profissional Documentos
Cultura Documentos
LearningObjectives
DiscussTaskandKnowledgeStatements
Discussspecifictopicswithinthechapter
Casestudies(individualPracticefollowCRM)
Samplequestions(individualPracticefollowCRM)
ExamRelevance
Ensure that the CISA candidate
Provide assurance that the necessary leadership and
organization structure and processes are in place to achieve
objectives and to support the organization's strategy.
The content area in this chapter will represent
approximately 14% of the CISA examination (approximately 28
questions). (Review Manual Reference Pages: 73
2.16 Knowledge of the standards and procedures for the development and
maintenance of the business continuity plan and testing methods
please refer to Exhibit xxTasks and Knowledge Statements Mapping
2.2Governance
Ethical corporate behavior by directors or others
charged with governance in the creation and
presentation of value for all stakeholders
The distribution of rights and responsibilities
among different participants in the corporation,
such as board, managers, shareholders and
other stakeholders
Establishment of rules to manage and report on
business risks
Governance View
Enterprise Governance
Corporate Governance
(corporate legal and regulatory
compliance)
Other
Shareholders
Stakeholders
Board
Monitoring Disclosure
Senior Executive Team
Key Assets
Human Financial Physical I/P Information Relationship
Assets Assets Assets Assets and IT Assets Assets
Financial governance
IT governance
mechanisms
mechanisms
2.3ITGovernance
www.itgi.org
www.isaca.org
ReviewManualReferencePages:87
ITGovernance View
Enterprise Governance
Corporate Governance
(corporate legal and regulatory
compliance)
IT Function IT Services
Applications, Infrastructure,
Facilities, Resources, etc
Functional Business
Governance of IT Governance of IT
IT Governance Model
Governance Focus Areas
Value
Delivery
Performance Resource
Measurement Management
Provides Direction
Monitors Compliance and Performance
Ensures Alignment with Corporate Goals and Objectives
2.4.1BestPracticesforITGovernance(continued)
ITGovernanceFocusArea
Strategicalignment
Valuedelivery
Riskmanagement
Resourcemanagement
Performancemeasurement
ReviewManualReferencePages:88
IT Governance Focus Areas
Source: ITGI
IT Governance Focus Areas
Value delivery is about executing the value proposition throughout the delivery cycle,
ensuring that IT delivers the promised benefits against the strategy, concentrating on
optimising expenses and proving the value of IT, and on controlling projects and
operational processes with practices that increase the probability of success (quality, risk,
time, budget, cost, etc)
Value Proposition
Deliver Benefits Against Strategy
Optimize Expenses
Controlling IT Projects
Increasing IT Success
Source: ITGI
IT Governance Focus Areas
Risk management requires risk awareness of senior corporate officers, a clear under-
standing of the enterprises appetite for risk and transparency about the significant risks to
the enterprise; it embeds risk management responsibilities in the operation of the enterprise
and specifically addresses the safeguarding of IT assets, disaster recovery and continuity of
operations
Resource management covers the optimal investment, use and allocation of IT resources and
capabilities (people, applications, technology, facilities, data) in servicing the needs of the
enterprise, maximising the efficiency of these assets and optimising their costs, and specifically
focuses on optimising knowledge and the IT infrastructure and on where and how to outsource
Optimize IT Investment
Allocation & Use of IT Resources
Cost Effectiveness of Use
Alternate Strategies - Outsourcing
Infrastructure Knowledge
IT Governance Focus Areas
Source: ITGI
IT Governance Control Cycle
Assess Environment
Based on COBIT, develop an approach for improved
internal control to meet regulatory requirements that
incorporates business and IT mission, vision, and
strategy
Establish risk management strategy
Formally document existing processes
IT Governance Control Cycle
Enforce
Reinforce required policy compliance and standards
conformance
Define a consistent approach for enforcement across
all processes
BoardmembersconsideredIT
importantintheareasof:
Compliance
Customerretention
Managingrisk
Competitivepositioning
The Role of IT within Business
Premier IT
Leaders polled by Strategic
Alignment
Computer World
put these projects
at the top of their Direction
to-do lists for 2008 Monitor
Compliance
Performance
Align
IT Governance Models
COSO CobiT
COCO IT CG
Cadbury ITIL
Content to Emphasize:
TheISauditorshouldconfirmthatthetermsof
referencestatethe:
Scopeofthework
Reportinglinetobeused
ISauditorsrightofaccesstoinformation
2.4.1BestPracticesforITGovernance(continued)
Auditor role in IT governance
In accordance with the defined role of the IS auditor,
the following aspects related to IT governance need to
be assessed:
The IS functions alignment with the organizations
mission, vision, values, objectives and strategies
The IS functions achievement of performance
objectives established by the business (effectiveness
and efficiency)
Legal, environmental, information quality, and
fiduciary and security requirements
The control environment of the organization
The inherent risks within the IS environment
2.4.1BestPracticesforITGovernance(continued)
Content to Emphasize:
The organizational status and skill sets of the IS
auditor should be considered for appropriateness
with regard to the nature of the planned audit.
2.4.2ITStrategyCommittee
The creation of an IT strategy committee is an
industry best practice
Committee should broaden its scope to include
not only advice on strategy when assisting the
board in its IT governance responsibilities, but
also to focus on IT value, risks and performance
ReviewManualReferencePages:90
2.4.3StandardITBalancedScorecard
A process management evaluation technique that
can be applied to the IT governance process in
assessing IT functions and processes
Method goes beyond the traditional financial
evaluation
One of the most effective means to aid the IT
strategy committee and management in achieving
IT and business alignment
ReviewManualReferencePages:91
Balance Scorecard Approach
Financial Perspective
Goals
Information
criteria profile
Enablers
Corporate Contribution
IT Resources
User Orientation Operational Excellence KPI
CSF
Future Orientation
Balance Scorecard Approach - Goals
User Orientation Business Contribution
How do users view IT Security How does management view IT Security
Mission Mission
To offer a preferred and sought after security product To obtain a positive business contribution from the IT
security
Strategies
Strategies
Preferred supplier of security products
Control Information security costs
Preferred operator of security systems and
infrastructure Balance Information Security costs with risks and
exposures
Proposer of best and most practical solutions
Proactively position security within the organization
Partnership with user to address security issues
Foster a security conscious culture
Achieving recognized user satisfaction
Bus Contribution
Future Orientation
Networks
Resources
User Admin
Security Organization Operational
Event Monitoring
Security Operations
Event Identification
Event Investigation
Event Follow-up
Event Report
Executive Reporting
Balance Scorecard Approach - Performance
Lessons Learned
Planned Revisions
2.4.3StandardITBalancedScorecard
Content to Emphasize:
Discussthethreelayeredstructureusedinaddressing
thefourperspectivesforanITBalancedScorecard:
Mission
Strategies
Measures
2.4.4InformationSecurityGovernance(continued)
Focused activity with specific value drivers
o Integrity of information
o Continuity of services
o Protection of information assets
Network 6 4
IT Security Performance Segregation
5 Application
Security
System
Benchmark Maturity Model Access Control
0 1 2 3 4 5
Very Very 100
poor Poor Fair Good good Excel
92 96
1. Policies & procedures 10 88
10 80
2. Security mgt 76
20
3. Human behav. & culture 20
4. Application security 60 64
20
5. System access control 20
48
6. Network segregation 100 40 42
Legend for symbols used Legendforrankingused
Average of best security 20
performers in the financial 5 Excellent: Bestpossible,highlyintegrated
industry (begin 01) 4 Verygood: Advancedlevelofpractice
Company status Feb 03 3 Good: Moderatelygoodlevelofpractice
2 Fair: Someeffortmadetoaddressissues 0
Company. objective for 2009 1 Poor: Recognizetheissues 2003 2004 2005 2006 2007 2008
0 Verypoor: Completelackofgoodpractice
2.8.1Policies(continued)
Content to Emphasize:
IS auditors should:
reach an understanding of policies as part of the audit
process
test policies for compliance
consider the extent to which the policies apply to third
parties or outsourcers, the extent to which they comply
with the policies, or if the third parties or outsourcers
policies are in conflict with the organizations policies.
2.8.1Policies(continued)
Informationsecuritypolicies
Communicate a coherent security standard to users,
management and technical staff
Must balance the level of control with the level of
productivity
Provide management the direction and support for
information security in accordance with business
requirements, relevant laws and regulations
ReviewManualReferencePages:99
2.8.1Policies(continued)
Information security policies Document
Content to Emphasize:
An independent review is necessary to ensure that
policies and procedures have been properly
documented, understood and implemented
2.9RiskManagement(continued)
The process of identifying vulnerabilities and
threats to the information resources used by an
organization in achieving business objectives
ReviewManualReferencePages:101
2.9.1DevelopingaRiskManagementProgram
(continued)
Commonclassesofthreatsare:
Errors
Maliciousdamage/attack
Fraud
Theft
Equipment/softwarefailure
2.9.2RiskManagementProcess(continued)
Qualitative?
Semiquantitative?
Quantitative?
o Probability and expectancy?
o Annual loss expectancy method?
2.9.3RiskAnalysisMethods(continued)
Management and IS auditors should keep in mind
certain considerations:
Risk management should be applied to IT functions throughout
the company
Senior management responsibility
Quantitative RM is preferred over qualitative approaches
Quantitative RM always faces the challenge of estimating risks
Quantitative RM provides more objective assumptions
The real complexity or the apparent sophistication of the methods
or packages used should not be a substitute for common sense or
professional diligence
Special care should be given to very high impact events, even if the
probability of occurrence over time is very low.
2.10ISManagementPractices(continued)
IS management practices reflect the implementation of policies
and procedures developed for various ISrelated management
activities. In most organizations, the IS department is a service
(support) department.
The traditional role of a service department is to help
production (line) departments conduct their operations more
effectively and efficiently.
Today, however, IS has become an integral part of every facet of
the operations of an organization.
Its importance continues to grow year after year, and there is
little likelihood of a reversal of this trend. IS auditors must
understand and appreciate the extent to which a well managed
IS department is crucial to achieving the organization's
objectives.
ReviewManualReferencePages:105
2.10.1HumanResourcesManagementPractices
Management and IS auditors should keep in mind
certain
considerations:
Hiring
Employeehandbook
Promotionpolicies
Training
Schedulingandtimereporting
Employeeperformanceevaluations
Requiredvacations
Terminationpolicies
2.10.1PersonnelManagementPractices(contd.)
Content to Emphasize:
The IS auditor should be aware of personnel
management issues but this information is not
tested in the CISA exam due to its subjectivity
and organizationalspecific subject matter.
2.10.2SourcingPractices(continued..)
Possible disadvantages:
Costs exceeding customer expectations
Loss of internal IS experience
Loss of control over IS
Vendor failure
2.10.2SourcingPractices(continued..)
Riskscanbereducedby:
Establishing measurable, partnershipenacted
shared goals and rewards
Using multiple suppliers or withholding a piece of
business as an incentive
Performing periodic competitive reviews and
benchmarking/bench trending
Implementing shortterm contracts
Forming a crossfunctional contract management
team
Including contractual provisions to consider as
many contingencies as can reasonably be foreseen
2.10.2 Sourcing Practices (continued)
Content to Emphasize:
SLAs:
are a contractual means of helping the IS department to
manage information resources under the control of a
vendor.
stipulate and commit a vendor to a required level of
service and support options.
should serve as an instrument of control. Where the
outsourcing vendor is from another country, the
organization should be aware of crossborder legislation.
2.10.2SourcingPractices(continued..)
Globalizationpracticesandstrategies
Requires management to actively oversee the remote or
offshore locations
The IS auditor can assist an organization in moving IS
functions offsite or offshore by ensuring that IS management
considers the following:
Fivewaystouseperformancemeasures:
Measureproducts/services
Manageproducts/services
Assureaccountability
Makebudgetdecisions
Optimizeperformance
2.10.7Performance Optimization(continued)
Content to Emphasize:
COBIT management guidelines are primarily designed to meet the needs
of IT management for performance measurement. Goals and metrics
and maturity models are provided for each of the 34 IT processes. These
are generic and actionoriented for the purpose of addressing the
following types of management concerns:
Performance measurementWhat are the indicators of good
performance?
IT control profilingWhat is important? What are the critical success
factors for control?
AwarenessWhat are the risks of not achieving our objectives?
BenchmarkingWhat do others do? How are they measured and
compared? From a control perspective, the management guidelines
address the key issue of determining the right level of control for IT such
that it supports the objectives of the enterprise.
2.11OrganizationalStructure&Overview
OrganizationalStructure
ReviewManualReferencePages:114
2.11.1ISRoleandResponsibility(continued)
Systemsdevelopmentmanager
Helpdesk
Enduser
Endusersupportmanager2
2.11.1ISRoleandResponsibility(continued)
Datamanagement
Qualityassurancemanager
Vendorandoutsourcermanagement
Operationsmanager
2.11.1ISRoleandResponsibility(continued)
Content to Emphasize:
Quality assurance managerResponsible for negotiating and facilitating
quality activities in all areas of information technology
IT Governance Institute
IT Governance Institute
Information Systems Audit and Control Association
www.isaca.org www.itgi.org
IT Governance Institute
Information Systems Audit and Control Association
www.isaca.org
www.itgi.org
Information Referenced and Provided By
Practice Question
PracticeQuestions(contd.)
1. In order for management to effectively monitor the
compliance of processes and applications, which of the
following would be the MOST ideal?
A. Acentraldocumentrepository
B. Aknowledgemanagementsystem
C. Adashboard
D. Benchmarking
Answer
1. C: A dashboard provides a set of information to
illustrate compliance of the processes, applications and
configurable elements and keeps the enterprise on
course. A central document repository provide a great
deal of data, but not necessarily the specific information
that would be useful for monitoring and compliance. A
knowledge management system provides valuable
information, but is generally not used by management
for compliance purposes. Benchmarking provides
information to help management adapt the organization,
in a timely manner, according to trends and
environment.
PracticeQuestions(contd.)
2. Which of the following would be included in an IS
strategic plan?
A. Specificationsforplannedhardwarepurchases
B. Analysisoffuturebusinessobjectives
C. Targetdatesfordevelopmentprojects
D. AnnualbudgetarytargetsfortheISdepartment
Answer
2. B: IS strategic plans must address the
needs of the business and meet future
business objectives. Hardware purchases may
be outlined, but not specified, and neither
budget targets nor development projects are
relevant choices. Choices A, C and D are not
strategic items.
PracticeQuestions(contd.)
3. Which of the following BEST describes IT department's strategic
an
planning process
A. The IT department will either shortrange or long rangeplans
have