CISA Lecture Domain 2

[email protected]/30/16

Certified Information System Auditor (CISA)

Md. Mushfiqur Rahman, CISA, MCT, CEICEH, CHFI, MCP,MCTS,MCITP,MCSA,MCSE,SCSA, CCNA, OCP 9i/10g/11g, ITIL-F


Domain - 2

Governance and Management of IT


Exam Relevance

Ensure that the CISA candidate…

Provide assurance that the necessary leadership andorganization structure and processes are in place to achieve objectives and to support the organization's strategy.

The content area in this chapter will represent approximately 14% of the CISA examination (approximately 28 questions)


INTRODUCTION

Task & Knowledge Statements

Task and knowledge statements represent the basis from which exam items are written.

Tasks: Tasks are the learning objectives that IS auditors/CISA candidates are expected to know to perform their job duties. It has 11 task statements.

knowledge statements: In order to perform all of the tasks, the IS auditor/CISA candidate should have a firm grasp of all the knowledge statements. There are 16 knowledge statements in CISA Domain - 2


Tasks/ Objectives

11 Tasks Statements:

2.1 Evaluate the effectiveness of the IT governance structure to determine whether IT decisions, directions and performance support the organization’s strategies and objectives.

2.2 Evaluate IT organizational structure and human resources (personnel) management to determine whether they support the organization’s strategies and objectives.

2.3 Evaluate the IT strategy, including the IT direction, and the processes for the strategy’s development, approval, implementation and maintenance for alignment with the organization’s strategies and objectives.


2.4 Evaluate the organizations IT policies, standards, and procedures, and the processes for their development, approval, implementation, maintenance, and monitoring, to determine whether they support the IT strategy and comply with regulatory and legal requirements.

2.5 Evaluate the adequacy of the quality management system to determine whether it supports the organizations strategies and objectives in a cost ]effective manner.�

2.6 Evaluate IT management and monitoring of controls (e.g., continuous monitoring, QA) for compliance with the organizations policies, standards and procedures.

Tasks/ Objectives


2.7 Evaluate IT resource investment, use and allocation practices, including prioritization criteria, for alignment with the organization’s strategies and objectives.

2.8 Evaluate IT contracting strategies and policies, and contract management practices to determine whether they support the organization’s strategies and objectives.

2.9 Evaluate risk management practices to determinewhether the organization’s IT related risks are properly‐managed.

Tasks/ Objectives


2.10 Evaluate monitoring and assurance practices to determine whether the board and executive management receive sufficient and timely information about IT performance.

2.11 Evaluate the organization’s business continuity plan to determine the organization’s ability to continue essential business operations during the period of an IT disruption.

Tasks/ Objectives


Knowledge Statements

16 Knowledge Statements

2.1 Knowledge of IT governance, management, security and control frameworks, and related standards, guidelines, and practices

2.2 Knowledge of the purpose of IT strategy, policies, standards and procedures for an organization and the essential elements of each

2.3 Knowledge of organizational structure, roles and responsibilitiesrelated to IT

2.4 Knowledge of the processes for the development, implementation and maintenance of IT strategy, policies, standards and procedures


2.5 Knowledge of the organizations technology direction and IT architecture and their implications for setting long ]term strategic �directions2.6 Knowledge of relevant laws, regulations and industry standards affecting the organization2.7 Knowledge of quality management systems2.8 Knowledge of the use of maturity models2.9 Knowledge of process optimization techniques2.10 Knowledge of IT resource investment and allocation practices, including prioritization criteria (e.g., portfolio management, value management, projectmanagement)



2.11 Knowledge of IT supplier selection, contract management, relationship management and performance monitoring processes including third party outsourcing relationships2.12 Knowledge of enterprise risk management2.13 Knowledge of practices for monitoring and reporting of IT performance(e.g., balanced scorecards, key performance indicators [KPI])2.14 Knowledge of IT human resources (personnel) management practices used to invoke the business continuity plan2.15 Knowledge of business impact analysis (BIA) related to business continuity planning2.16 Knowledge of the standards and procedures for the development and maintenance of the business continuity plan and testing methods



Governance

Ethical corporate behavior by directors or others charged with governance in the creation and presentation of value for all stakeholders

The distribution of rights and responsibilities among different participants in the corporation, such as board, managers, shareholders and other stakeholders

Establishment of rules to manage and report on business risks


Overall concept of governance

Corporate Governance: The Organization for Economic Co‐operation and Development (OECD) states: "Corporate governance involves a set of relationships between a company’s management, its board, its shareholders and other stakeholders.

Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined.



Good Corporate Governance should provide proper incentives for the board and management to pursue objectives that are in the interests of the company and its shareholders and should facilitate effective monitoring..” (OECD 2004, OECD Principles of Corporate Governance, p.11)



Public governance, the OECD states: “Good, effective public governance helps to strengthen democracy and human rights, promote economic prosperity and social cohesion, reduce poverty, enhance environmental protection and the sustainable use of natural resources, and deepen confidence in government and public administration.” (OECD website on Public Governance and Management).


Governance

Governance is the framework, principles, structure, processes and practices to set direction and monitor compliance and performance aligned with the overall purpose and objectives of an enterprise.

In the definition, the enablers of governance are “framework, principles, structure, processes and practices”; the activities are “set direction, monitor compliance and performance and align business processes.”


IT Governance

IT Governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensures that the organization’s IT sustains and extends the organization’s strategies and objectives.


IT Governance Model


Best Practices for IT Governance


IT Governance Focus Area


IT Governance Control Cycle


INTRODUCTION


The Role of IT within the Business


Board and CIO/CTO Interaction


INTRODUCTION


IT Governance


Monitoring and Assurance Practices for Boardand Executive Management (continued)

Enterprises are governed by generally accepted good or best practices, the assurance of which is provided by certain controls. From these practices flows the organization’s direction, which indicates certain activities using the organization’s resources. The results of these activities are measured and reported on, providing input to the cyclical revision and maintenance of controls.

IT is also governed by good or best practices that ensure that the organization’s information and related technology support its business objectives, its resources are used responsibly, and its risks are managed appropriately.


Monitoring and Assurance Practicesfor Board and Executive Management

Effective enterprise governance focuses individual and group expertise and experience on specific areas where they can be most effective

IT governance is concerned with two issues: that IT delivers value to the business and that IT risks are managed

IT governance is the responsibility of the board of directors and executive management


Monitoring and Assurance Practices for Board and Executive Management

Content to emphasis

Information technology is now regarded as an integral part of that strategy. C suite executives agree that strategic alignment between IT and enterprise ‐

objectives is a critical success factor. Information technology is so critical to the success of enterprises that it cannot

be relegated to either IT management or IT specialists, but must receive the attention of both, in coordination with senior management.

IT governance is the responsibility of the board of directors and executive management.

A key element of IT governance is the alignment of business and IT, leading to the achievement of business value.

The key IT governance practices are IT strategy committee, risk management and standard IT balanced scorecard.


Best Practices for IT Governance (continued)

IT governance has become significant due to:

Demands for better return from IT investments Increases in IT expenditures Regulatory

requirements for IT controls Selection of service providers and outsourcing Complexity of network security Adoptions of control frameworks Benchmarking



Audit role in IT governance

Audit plays a significant role in the successful implementation of IT governance within an organization

Reporting on IT governance involves auditing at the highest level in the organization and may cross division, functional or departmental boundaries



Content to Emphasize:The IS auditor should confirm that the terms ofreference state the:

Scope of the work Reporting line to be used IS auditor’s right of access to information



Auditor role in IT governanceIn accordance with the defined role of the IS auditor, the following aspects related to IT governance need to be assessed:

The IS functions alignment with the organization's mission, vision, values, objectives and strategies

The IS functions achievement of performance objectives established by the business (effectiveness and efficiency)

Legal, environmental, information quality, and fiduciary and security requirements

The control environment of the organization The inherent risks within the IS environment


Best Practices for IT Governance

Content to Emphasize:

The organizational status and skill sets of the IS auditor should be considered for appropriateness with regard to the nature of the planned audit.


IT Strategy Committee

The creation of an IT strategy committee is an industry best practice

Committee should broaden its scope to include not only advice on strategy when assisting the board in its IT governance responsibilities, but also to focus on IT value, risks and performance


Standard IT Balanced Scorecard

A process management evaluation technique that can be applied to the IT governance process in assessing IT functions and processes

Method goes beyond the traditional financial evaluation

One of the most effective means to aid the IT strategy committee and management in achieving IT and business alignment


Balanced Scorecard Approach



A process management evaluation technique that can be applied to the IT governance process in assessing IT functions and processes

Method goes beyond the traditional financial evaluation

One of the most effective means to aid the IT strategy committee and management in achieving IT and business alignment




Discuss the three� layered structure used in addressing the four perspectives for an IT Balanced Scorecard:. Mission. Strategies. Measures


Information Security Governance

Focused activity with specific value drivers Integrity of information Continuity of services Protection of information assets

Integral part of IT governance Importance of information security governance

Information security (Infosec) covers all information processes, physical and electronic, regardless of whether they involve people and technology or relationships with trading partners, customers and third parties.

Infosec is concerned with all aspects of information and its protection at all points of its life cycle within the organization.


Policies


IS auditors should:

reach an understanding of policies as part of the audit process

test policies for compliance

consider the extent to which the policies apply to third parties or outsourcers, the extent to which they comply with the policies, or if the third parties or outsourcers’ policies are in conflict with the organizations’ policies.


Policies (continued)

Information security policies

Communicate a coherent security standard to users, management and technical staff

Must balance the level of control with the level of productivity

Provide management the direction and support for information security in accordance with business requirements, relevant laws and regulations



Information security policies Document

Definition of information security Statement of management intent Framework for setting control objectives Brief explanation of security policies Definition of responsibilities References to documentation



Information Policy Groups

High�level information security policy Data classification policy Acceptable usage policy End user computing policy Access control policies



Content to Emphasize:High level Information Security Policy: ‐ This policy should include statements on confidentiality, integrity and availability.Data Classification Policy: This policy should describe the classifications, levels of control at each classification and responsibilities of all potential users including ownership.Acceptable Usage Policy: There must be a comprehensive policy that includes information for all information resources (HW/SW, Networks, Internet, etc.) and describes the organizational permissions for the usage of IT and information‐related resources.End User Computing Policy: This policy describes the parameters and usage of desktop tools by users.Access Control Policies: This policy describes the method for defining and granting access to users to various IT resources



Review of the information security policy document

Should be reviewed at planned intervals or when significant changes occur to ensure its continuing suitability, adequacy and effectiveness

Should have an owner who has approved management responsibility for the development, review and evaluation of the security policy

Review should include assessing opportunities for improvement to the organization’s information security policy


Policies (continued)Content to Emphasize:The input to the management review should include:

Feedback from interested parties Results of independent reviews Status of preventive and corrective actions Results of previous management reviews Process performance and information security policy compliance Changes that could affect the organization’s approach to managing information

security, including changes to the organizational environment; business circumstances; resource availability; contractual, regulatory and legal conditions; or technical environment

Usage of the consideration of outsourcers or offshore of IT or business functions

Trends related to threats and vulnerabilities Reported information security incidents Recommendations provided by relevant authorities


Procedures (continued)

Procedures are detailed documents that:

Define and document implementation policies Must be derived from the parent policy Must implement the spirit (intent) of the policy

statement Must be written in a clear and concise manner


Procedures (continued)


An independent review is necessary to ensure that policies and procedures have been properly documented, understood and implemented


Risk Management (continued)

The process of identifying vulnerabilities andthreats to the information resources used by an organization in achieving business objectives.


Developing a Risk Management Program

To develop a risk management program:

Establish the purpose of the risk management program

Assign responsibility for the risk management plan


Risk Management Process (continued)

To develop a risk management process:

Identification and classification of information resources or assets that need protection

Assess threats and vulnerabilities and the likelihood of their occurrence

Once the elements of risk have been established they are combined to form an overall view of risk


Risk Management Process(continued)


Examples of typical assets associated with information and IT include:

Information and data Hardware Software Services Documents Personnel

Common classes of threats are:

Errors Malicious damage/attack Fraud Theft Equipment/software failure



To develop a risk management process:

Evaluate existing controls or design new controls to reduce the vulnerabilities to an acceptable level of risk

Residual risk


Risk Management Process(continued)

Content to Emphasize:Final acceptance of residual risks takes into account:

Organizational policy Risk identification and measurement Uncertainty incorporated in the risk assessment

approach Cost and effectiveness of implementation



IT risk management needs to operate at multipleLevels including:

Operational—Risks that could compromise the effectiveness of IT systems and supporting infrastructure

Project—Risk management needs to focus on the ability to understand and manage project complexity

Strategic—The risk focus shifts to considerations such as how well the IT capability is aligned with the business strategy


Risk Analysis Methods (continued)

Qualitative? Semi�quantitative? Quantitative?

Probability and expectancy? Annual loss expectancy method?


Risk Analysis Methods (continued)

Management and IS auditors should keep in mind certain considerations:

Risk management should be applied to IT functions throughout the company

Senior management responsibility Quantitative RM is preferred over qualitative approaches Quantitative RM always faces the challenge of estimating risks Quantitative RM provides more objective assumptions The real complexity or the apparent sophistication of the

methods or packages used should not be a substitute for common sense or professional diligence

Special care should be given to very high impact events, even if the

probability of occurrence over time is very low.


IS Management Practices (continued)

IS management practices reflect the implementation of policies and procedures developed for various IS related management activities. In ‐most organizations, the IS department is a service (support) department.

The traditional role of a service department is to help production (line) departments conduct their operations more effectively and efficiently.

Today, however, IS has become an integral part of every facet of the operations of an organization.

Its importance continues to grow year after year, and there is little likelihood of a reversal of this trend. IS auditors must understand and appreciate the extent to which a well managed IS department is crucial to achieving the organization's objectives.


Human Resources Management Practices

Management and IS auditors should keep in mind certain considerations:

Hiring Employee handbook Promotion policies Training Scheduling and time reporting Employee performance evaluations Required vacations Termination policies


Personnel Management Practices (contd.)


The IS auditor should be aware of personnel management issues but this information is not tested in the CISA exam due to its subjectivity and organizational specific subject matter.‐


Sourcing Practices (continued..)

Sourcing practices relate to the way an organization obtains the IS function required to support the business

Organizations can perform all IS functions in house or outsource all functions across the globe

Sourcing strategy should consider each IS function and determine which approach allows the IS function to meet the organization's goals


Sourcing Practices


Delivery of IS functions can include:

� Insourced—Fully performed by the organization’s staff� Outsourced—Fully performed by the vendor’s staff� Hybrid—Performed by a mix of the organization’s and vendor’s staff; can include joint ventures/supplemental staff IS functions can be performed across the globe, taking advantage of time zones and arbitraging labor rates, and can include:� Onsite—Staff work onsite in the IS department� Offsite—Also known as nearshore, staff work at a remote location in the same geographical area� Offshore—Staff work at a remote location in a different geographic region



Outsourcing practices and strategies� Contractual agreements under which anorganization hands over control of part or all of the functions of the IS department to an external party� Becoming increasingly important in many organizations� The IS auditor must be aware of the various forms outsourcing can take as well as the associated risks


Sourcing Practices (continued)

Content to Emphasize:Reasons for outsourcing include:

A desire to focus on core activities Pressure on profit margins Increasing competition that demands cost savings Flexibility with respect to both organization and structure

The services provided by a third party can include: Data entry Design and development of new systems in the event that the in�house staff does not

have the requisite skills or is otherwise occupied in higher�priority tasks, or in the event of a one�time task in which case there is no need to recruit additional in�house skilled staff

Maintenance of existing applications to free in�house staff to develop new applications Conversion of legacy applications to new platforms. For example, a specialist company may

web�enable the front end of an old application. Operating the help desk or the call center Operations processing



Possible advantages:� Commercial outsourcing companies likely to devote more time and focus more efficiently on a given project than in-house staff� Outsourcing vendors likely to have more experience with a wider array of problems, issues and techniques Possible disadvantages:� Costs exceeding customer expectations� Loss of internal IS experience� Loss of control over IS� Vendor failure



Risks can be reduced by:

� Establishing measurable, partnership enacted shared goals and ‐rewards� Using multiple suppliers or withholding a piece of business as an incentive� Performing periodic competitive reviews and benchmarking/bench trending� Implementing short term contracts‐� Forming a cross functional contract management team‐� Including contractual provisions to consider as many contingencies as can reasonably be foreseen


Sourcing Practices (continued)

Content to Emphasize:SLAs:� are a contractual means of helping the IS department to manage information resources under the control of a vendor.� stipulate and commit a vendor to a required level of service and support options.� should serve as an instrument of control. Where the outsourcing vendor is from another country, the organization should be aware of cross border legislation.‐



Globalization practices and strategies� Requires management to actively oversee the remote or offshore locations� The IS auditor can assist an organization in moving IS functions offsite or offshore by ensuring that IS management considers the following:

Legal, regulatory and tax issues Continuity of operations Personnel Telecommunication issues Cross border and cross cultural issues‐ ‐



Governance in outsourcing

� Mechanism that allows organizations to transfer the delivery of services to third parties

� Accountability remains with the management of the client organization

� Transparency and ownership of the decision making ‐process must reside within the purview of the client



Third party service delivery management‐

� Every organization using the services of third parties should have a service delivery management system in place to implement and maintain the appropriate level of information security and service delivery in line with third party service ‐delivery agreements

� The organization should check the implementation of agreements, monitor compliance with the agreements and manage changes to ensure that the services delivered meet all requirements agreed to with the third party.


Organizational Change Management

What is change management? Managing IT changes for the organization

Identify and apply technology improvements at the infrastructure and application level


Financial Management Practices

Financial management is a critical element of all business functions.In a cost intensive computer environment, it is imperative that ‐sound financial management practices are in place. Budget: IS management, like all other departments, must develop a budget.A budget allows for forecasting, monitoring and analyzing financial information. The budget allows for an adequate allocation of funds, especially in an IS environment where expenses can be cost intensive. The IS budget should be linked ‐to short and long range IT plans.‐ ‐


Quality Management (continued..)

� Software development, maintenance and implementation� Acquisition of hardware and software� Day to day operations‐ ‐� Service management� Security� Human resource management� General administration


Information Security Management

Information security management provides the lead role to ensure that the organization's information and the information processing resources under its control are properly protected. This would include leading and facilitating the implementation of an organization wide IT security program which includes the development of Business Impact Analysis (BIA), Business Continuity Plan (BCPs) and Disaster Recovery Plans

(DRPs) related to lS department functions in support of the organization's critical business processes.


Performance Optimization (continued)

� Process driven by performance indicators

� Optimization refers to the process of improving the productivity of information systems to the highest level possible without unnecessary, additional investment in the IT infrastructure


Performance Optimization (continued…)

Content to Emphasize:The broad phases of performance measurement are:

Establishing and updating performance measures Establishing accountability for performance measures Gathering and analyzing performance data Reporting and using performance information

Caveats of performance measurement include: Model—A model is built or established first to evaluate the performance and alignment with the business objectives.

Measurement error—Conventional measures do not properly account for the true inputs and outputs.

Lags—Time lags between expense and benefit are not properly accounted for in current measures.

Redistribution—IT is used to redistribute the source of costs in firms; there is no difference in total output, only in the means of getting it.

Mismanagement—The lack of explicit measures of the value of information makes resources vulnerable to misallocation and overconsumption by managers. As a result, proper performance measurement techniques will play an increasing role for program managers and investment review boards.


Performance Optimization (continued)

Five ways to use performance measures:

Measure products/services Manage products/services Assure accountability Make budget decisions Optimize performance


Performance Optimization (continued…)


� COBIT management guidelines are primarily designed to meet the needs of IT management for performance measurement. Goals and metrics and maturity models are provided for each of the 34 IT processes. These are generic and action oriented for the purpose of addressing the following types of management ‐concerns:

Performance measurement—What are the indicators of good performance?

IT control profiling—What is important? What are the critical success factors for control?

Awareness—What are the risks of not achieving our objectives?

Benchmarking—What do others do? How are they measured and compared? From a control perspective, the management guidelines address the key issue of determining the right level of control for IT such that it supports the objectives of the enterprise.


Organizational Structure


IS Role and Responsibility (continued)

Systems development manager Help desk End user End user support manager



Data management Quality assurance manager Vendor and outsourcer management Operations manager



Content to Emphasize:Quality assurance manager— Responsible for negotiating and facilitating quality activities in all areas of information technology With the increase in outsourcing, including the use of multiple vendors, dedicated staff may be required to manage the vendors and outsourcers, including performing the following functions:

� Act as the prime contact for the vendor and outsourcer within the IS function.

� Provide direction to the outsourcer on issues and escalate internally within the organization and IS function.

� Monitor and report on the service levels to management.

� Review changes to the contract due to new requirements and obtain IS approvals.



� Control group� Media management� Data entry� Systems administration� Security administration� Quality assurance� Database administration� Systems analyst� Security architect� Applications development and maintenance� Infrastructure development and maintenance� Network management


Segregation of Duties Within IS (cond…)

Avoids possibility of errors or misappropriations

Discourages fraudulent acts Limits access to data


Segregation of Duties within IS


Segregation of Duties Control (cond…)

Control measures to enforce segregation of duties include:

Transaction authorization Custody of assets Access to data Authorization forms User authorization tables


Segregation of Duties Control (contd…)

Compensating controls for lack of segregation of duties include:

� Audit trails� Reconciliation� Exception reporting� Transaction logs� Supervisory reviews� Independent reviews


Auditing IT Governance Structure and Implementation (cond…)

Indicators of potential problems include:

Unfavorable end�user attitudes Excessive costs Budget overruns Late projects High staff turnover Inexperienced staff Frequent hardware/software errors


Reviewing Documentation (cond…)

The following documents should be reviewed:

� IT strategies, plans and budgets� Security policy documentation� Organization/functional charts� Job descriptions� Steering committee reports� System development and program change procedures� Operations procedures� Human resource manuals� Quality assurance procedures


Reviewing Contractual Commitment (cond…)

There are various phases to computer hardware, software and IS service contracts, including:

� Development of contract requirements and service levels� Contract bidding process� Contract selection process� Contract acceptance� Contract maintenance� Contract compliance


Reviewing Contractual Commitment (cond…)


In reviewing a sample of contracts, the IS auditor should evaluate the adequacy of the following terms and conditions:

� Service levels� Right to audit or third party audit reporting� Software escrow� Penalties for noncompliance� Adherence to security policies and procedures� Protection of customer information� Contract change process� Contract termination and any associated penalties


Governance on a Page


Practice Questions (contd.)

Q – 1: In order for management to effectively monitor the compliance of processes and applications, which of the following would be the MOST ideal?

A. A central document repositoryB. A knowledge management systemC. A dashboardD. Benchmarking


Practice Questions (contd.)

Answer is C, A dashboard provides a set of information to illustrate compliance of the processes, applications and configurable elements and keeps the enterprise on course. A central document repository provide a great deal of data, but not necessarily the specific information that would be useful for monitoring and compliance. A knowledge management system provides valuable information, but is generally not used by managementfor compliance purposes. Benchmarking provides information to help management adapt the organization, in a timely manner, according to trends and environment.


INTRODUCTION

CISA Lecture Domain 2

Documents

Transcript of CISA Lecture Domain 2