CISA REVIEW

63
CISA REVIEW The material provided in this slide show came directly from Certified Information Systems Auditor (CISA) Review Material 2010 by ISACA.

description

CISA REVIEW. The material provided in this slide show came directly from Certified Information Systems Auditor (CISA) Review Material 2010 by ISACA. CISA REVIEW Chapter 2 – Governance Learning Objectives. - PowerPoint PPT Presentation

Transcript of CISA REVIEW

Page 1: CISA REVIEW

CISA REVIEW

The material provided in this slide show came directly from Certified Information Systems Auditor (CISA) Review Material 2010 by ISACA.

Page 2: CISA REVIEW

CISA REVIEWChapter 2 – Governance Learning Objectives

• Evaluate the effectiveness of IT governance structure to ensure adequate board control over the decisions, directions and performance of IT, so it supports the organization's strategies and objectives

• Evaluate IT organizational structure and human resources (personnel) management to ensure that they support the organization's strategies and objectives

• Evaluate the IT strategy and process for their development, approval, implementation and maintenance to ensure that they support the organization's strategies and objectives

• Evaluate the organization's IT policies, standards, procedures and processes for their development, approval, implementation and maintenance to ensure that they support the IT strategy and comply with regulatory and legal requirements

• Evaluate management practices to ensure compliance with the organization's IT strategy, policies, standards and procedures

• Evaluate IT resource investment, use and allocation practices to ensure alignment with the organization's strategies and objectives

• Evaluate risk management practices to ensure that the organization's IT-related risks are properly managed

• Evaluate monitoring and assurance practices to ensure that the board and executive management receive sufficient and timely information about IT performance

Page 3: CISA REVIEW

CISA REVIEWChapter 2 – Governance

• IT governance is used to ensure that an organization's IT objectives are in alignment with its enterprise objectives. To ensure successful implementation of IT governance, an IS auditor needs to make certain that the organization's IS strategies are in alignment with the organization's business strategies. The IS auditor must also ensure that IS strategies comply with all local, regional and federal laws and regulations.

• Other critical elements of an IS auditor's role in IT governance is to ensure that IS policies exist and adequately reflect the approved IS strategies, and that IS standards and procedures effectively enforce and communicate IS policies.

Page 4: CISA REVIEW

CISA REVIEWChapter 2 – Governance

• IT governance implies a system in which all stakeholders, including the board, internal customers and related areas such as finance, have the necessary input into the decision making process. This prevents a single stakeholder, typically IT, being blamed for poor decisions. It also prevents users from later complaining that the system does not behave or perform as expected.

• The best way to implement IT governance so it has the most positive impact is to have collaborative senior management sponsorship between the business and IT operations. Lower management levels may have some success but when governance is departmental only, problems arise with projects that transcend departments that are not consistently managed using the same guidance.

Page 5: CISA REVIEW

CISA REVIEWChapter 2 – Governance

IT governance encompasses:

• Information systems • Technology and communication • Business, legal and other issues such as

regulatory compliance and security • All concerned stakeholders, directors, senior

management, process owners, IT suppliers, users and auditors

Page 6: CISA REVIEW

CISA REVIEWChapter 2 – Governance

Chief executive officers (CEOs), chief financial officers (CFOs) and chief information officers (CIOs) agree that the strategic alignment between IT and enterprise objectives is a critical success factor for an organization.

Page 7: CISA REVIEW

CISA REVIEWChapter 2 – Process Improvement

IT governance is concerned that IT delivers value to the business and that IT risks are managed. The first is driven by strategic alignment of IT with the business. The second is driven by embedding accountability into the enterprise, which cannot be accomplished without effective measuring and reporting.

Page 8: CISA REVIEW

CISA REVIEWChapter 2 – Governance

An IS auditor should assess the following organizational IT governance elements:

• Alignment of the IT function with the organization's mission, vision, values, objectives and strategies

• Achievement of IT function performance objectives established by the business (effectiveness and efficiency) including the measures used to determine success

• Legal, environmental, information quality, and fiduciary and security requirements

• The control environment of the organization • The inherent risks within the IT environment • The organization's documentation and contractual commitments

Page 9: CISA REVIEW

CISA REVIEWChapter 2 – IT Strategy Committee

As an industry best practice, all organizations should create an IT strategy committee. To incorporate IT governance into enterprise governance, a successful IT strategy committee must assist the board by:

• Providing advice on strategy, IT value, risks and performance

• Overseeing the enterprise's IT-related matters by ensuring that the board has the internal and external information it requires for effective IT governance decision-making

Page 10: CISA REVIEW

CISA REVIEWChapter 2 – IT Steering Committee

In addition to the IT strategy committee, an organization's senior management should appoint an IT planning or steering committee. The responsibilities and duties of this committee should be defined in a formal charter and include overseeing the IT function and its activities, and ensuring that the IT department is in agreement with the organization's mission and objectives.

Page 11: CISA REVIEW

CISA REVIEWChapter 2 – IT Steering Committee

The primary functions of the IT steering committee include the following:• Review the long- and short-range plans of the IT department to ensure that they are in

accordance with the organization's objectives. • Review and approve major acquisitions of hardware and software within the limits

approved by the board of directors. • Approve and monitor major projects and the status of IT plans and budgets; establish

priorities; approve standards and procedures; and monitor overall IT performance. • Review and approve sourcing strategies for select, or all, IT activities, including

insourcing or outsourcing, and the globalization or offshoring of functions. • Review adequacy of resources and allocation of resources in terms of time, personnel

and equipment. • Make decisions regarding centralization vs. decentralization and assignment of

responsibility. • Support development and implementation of an enterprisewide information security

management program. • Report to the board of directors on IT activities.

Page 12: CISA REVIEW

CISA REVIEWChapter 2 – IT Steering Committee

In order to effectively coordinate and monitor an organization's IT resources and IT steering committee must:

• Receive the appropriate management information from IT departments, user departments and audits

• Monitor performance and institute appropriate action to achieve desired results

• Meet regularly and report to senior management • Maintain formal minutes to document the committee's

activities and decisions • Serve as a general review board for major IT projects and

avoid becoming involved in routine operations

Page 13: CISA REVIEW

CISA REVIEWChapter 2 – Strategic Planning

An important element of strategic planning is to make sure that business and IT management work together toward a common goal. To do this:

• IT management needs to have a better understanding of business issues and business unit management should also have a solid understanding of the reality of IT constraints.

• All parties involved should have the ability to understand and relate strategic plans between business needs and IT. Strategic plans should address how IT resources will add-value to the business. IT resources add-value by mitigating risk and delivering and protecting information and allocating resources accordingly.

Page 14: CISA REVIEW

CISA REVIEWChapter 2 – Strategic Planning

Instructions: Match each IT governance outcome to its corresponding description. Outcomes

Strategic alignmentRisk managementValue deliveryResource managementPerformance measurement

Descriptions Measures, monitors and reports on information security processes to ensure objectives are achievedAligns information security with business strategy to support organizational objectivesOptimizes security investments in support of business objectivesUtilizes information security knowledge and infrastructure efficiently and effectivelyManages and executes appropriate measures to mitigate risks and reduce potential impacts on information resources to an acceptable level

Page 15: CISA REVIEW

CISA REVIEWChapter 2 – Strategic Planning

Answers: Each term is followed by the appropriate description.• Strategic alignment

Aligns information security with business strategy to support organizational objectives

• Risk managementManages and executes appropriate measures to mitigate risks and reduce potential impacts on information resources to an acceptable level

• Value deliveryOptimizes security investments in support of business objectives

• Resource managementUtilizes information security knowledge and infrastructure efficiently and effectively

• Performance measurementMeasures, monitors and reports on information security processes to ensure objectives are achieved

Page 16: CISA REVIEW

CISA REVIEWChapter 2 – Policies and Procedures

IT governance also includes overseeing the policies and procedures developed to guide and control information systems and related resources.

Page 17: CISA REVIEW

CISA REVIEWChapter 2 – Information Security Policy

Information security policies should guide the organization by defining what needs to be protected, responsibilities for protection, and the strategy that will be followed for protection. Information security policies should be developed in accordance with business requirements, and relevant laws and regulations. An organization's management should demonstrate support for and commitment to information security by issuing and maintaining information security policies that contain a clear direction.

Page 18: CISA REVIEW

CISA REVIEWChapter 2 – Information Security Policy

An organization's information security policy should be approved by management and:

• Define the overall objective and scope of the organization's information security

• Align the goals and principles of information security with the business strategy and objectives

• Set the framework for risk assessment and risk management

Page 19: CISA REVIEW

CISA REVIEWChapter 2 – Information Security Policy

After an information security policy is approved by management, it should be published and communicated. The communication of this policy must be:

• Communicated to all users in the organization, including internal and external workers, third parties and outsourcers

• Provided in a form that is accessible and understandable to the intended reader

Page 20: CISA REVIEW

CISA REVIEWChapter 2 – Information Security Management

Information security management involves leading and facilitating the implementation of an organization wide IT security program to assure that the organization's information and the information-processing resources under its control are properly protected. This includes but is not limited to:

• Developing business continuity and disaster recovery plans (BCP and DRP) related to IT department functions in support of the organization's critical business processes

• Applying risk management principles to assess the risks to IT assets

• Mitigate risks to an appropriate level as determined by management

• Monitor the remaining residual risks

Page 21: CISA REVIEW

CISA REVIEWChapter 2 – Information Security Management

Instructions: Here are three items and descriptions. Match each item to its corresponding description. Items

Information access policySourcing practicesInformation security management practices

Descriptions Leading and facilitating the implementation of an organizationwide IT security programGrants access to only those resources at or below a specific level of sensitivityAsks "can this function be performed by another party or in another location for the same or lower price, with the same or higher quality, and without increasing risk?"

Page 22: CISA REVIEW

CISA REVIEWChapter 2 – Information Security Management

Answers: Each term is followed by the appropriate description. Information access policy

Grants access to only those resources at or below a specific level of sensitivity

Sourcing practicesAsks "can this function be performed by another party or in another location for the same or lower price, with the same or higher quality, and without increasing risk?"

Information security management practicesLeading and facilitating the implementation of an organization wide IT security program

Page 23: CISA REVIEW

CISA REVIEWChapter 2 – Information Security Management

Real-World ExampleAn organization is using human resources (HR) management software that it had developed by a vendor several years ago. The software maintains confidential information typically kept in personnel files, such as salary levels and management reviews. On performing a review, the IS auditor found that there were no written policies or guidelines indicating the type of authentication necessary for accessing the information in the software and that the organization typically used a four-character password for all items requiring access controls.

Think About It: What is the risk associated with this situation?

Page 24: CISA REVIEW

CISA REVIEWChapter 2 – Information Security Management

Answer: The lack of sufficient access controls poses a serious risk to an organization's information integrity.

Think About It: What do you, as an IS audit expert, think could have been done proactively to prevent this organization from being in this situation?

Page 25: CISA REVIEW

CISA REVIEWChapter 2 – Information Security Management

Answer:

To prevent a situation like this from occurring, an organization should have proper access control policies, process, and strategies in place. This would involve performing regularly scheduled reviews and/or audits on all information assets requiring security and updating the organization's information security directive as appropriate. Additional proactive controls could also include addenda and reviews to the vendor contract with specific security requirements and requiring complexity-enabled password requirements.

Page 26: CISA REVIEW

CISA REVIEWChapter 2 – Information Access

Typical information security policies addressing information access include the following:

• Individuals are granted access to only those resources at or below a specific level of sensitivity.

• Labels are used to indicate the sensitivity level of electronically stored documents.

• Policy-based controls may be characterized as either mandatory or discretionary.

• Controls should not disrupt the usual work flow more than necessary or place too much burden on administrators, auditors or authorized users.

• Access controls must adequately protect all the organization's resources.

Page 27: CISA REVIEW

CISA REVIEWChapter 2 – Segregation of Duties

• The purpose of segregating duties is to aid an organization in reducing some of its business risks through the identification of compensating controls.

• For example, when duties are segregated, access to the computer, the production data library, the production programs, the programming documentation, and the operating system and associated utilities can be limited, and potential damage from the actions of any one person is, therefore, reduced.

Page 28: CISA REVIEW

CISA REVIEWChapter 2 – Segregation of Duties

Several control mechanisms can be used to enforce segregation of duties. Examples of these controls are:

• Transaction authorization • Assets/data ownership • Access to data

Proper segregation prevents misappropriation of assets, misstated financial statements, inaccurate financial documentation (i.e., errors or irregularities), and improper use of funds or not detecting data modifications.

Page 29: CISA REVIEW

CISA REVIEWChapter 2 – Segregation of Duties

Transaction authorization is the responsibility of the data owner. Authorization is delegated to the degree that it relates to the particular level of responsibility of the authorized individual in the department. Periodic checks must be performed by management and audit to determine that adequate authorization policies and procedures exist and are implemented.

Page 30: CISA REVIEW

CISA REVIEWChapter 2 – Segregation of Duties

Ownership of assets/data must be determined and assigned appropriately. The data owner usually is assigned to a particular user department, and his/her duties should be specific and in writing. The owner of the data has responsibility for determining authorization levels required to limit the exposure of data being accessed by people without a justification to see, modify or use it.

Page 31: CISA REVIEW

CISA REVIEWChapter 2 – Segregation of Duties

Controls over access to data are provided by a combination of physical, system, and application security and personnel controls in the user area and the information process facility.

Page 32: CISA REVIEW

CISA REVIEWChapter 2 – Segregation of Duties

Information technology and end-user departments should be organized so any single individual does not have too much control or responsibility over critical functions. With segregation of duties, the misuse of data or fraud can be detected in a timely manner and in the normal course of business processes.

Page 33: CISA REVIEW

Segregation of Duties Exercise

Page 34: CISA REVIEW

Segregation of Duties Exercise - Answer

Page 35: CISA REVIEW

CISA REVIEWChapter 2 – Compensating Controls

Of course there will be situations were weaknesses exist with segregation of duties (e.g. smaller organizations with fewer staff). In these situations, compensating controls can be used.

Compensating controls include:• Audit trails • Reconciliation • Exception reporting • Transaction logs • Supervisor reviews • Independent reviews

Page 36: CISA REVIEW

CISA REVIEWChapter 2 – Compensating Controls

Audit trails are an essential component of all well-designed systems. Audit trails enable the user departments and IS auditor to re-create the actual transaction flow from the point of origination to its existence on an updated file. In the absence of adequate segregation of duties, good audit trails may be an acceptable compensating control. The IS auditor should be able to determine who initiated the transaction, the time of day and date of entry, the type of entry, what fields of information it contained, and what files it updated.

Page 37: CISA REVIEW

CISA REVIEWChapter 2 – Compensating Controls

Audit trails are an essential component of all well-designed systems. Audit trails enable the user departments and IS auditor to re-create the actual transaction flow from the point of origination to its existence on an updated file. In the absence of adequate segregation of duties, good audit trails may be an acceptable compensating control. The IS auditor should be able to determine who initiated the transaction, the time of day and date of entry, the type of entry, what fields of information it contained, and what files it updated.

Page 38: CISA REVIEW

CISA REVIEWChapter 2 – Compensating Controls

Reconciliation is ultimately the responsibility of the user department. In some organizations, limited reconciliation of applications may be performed by the data control group with the use of control totals and balancing sheets. This type of independent verification increases the level of confidence that the application processed successfully and the data are in proper balance.

Page 39: CISA REVIEW

CISA REVIEWChapter 2 – Compensating Controls

Exception reporting should be handled at the supervisory level and should require evidence, such as initials on a report, noting that the exception has been handled properly. Management should also ensure that exceptions are resolved in a timely manner.

Page 40: CISA REVIEW

CISA REVIEWChapter 2 – Compensating Controls

A transaction log may be manual or automated. An example of a manual log is a record of transactions (grouped or batched) before they are submitted for processing. An automated transaction log or journal provides a record of all transactions processed, and it is maintained by the computer system.

Page 41: CISA REVIEW

CISA REVIEWChapter 2 – Compensating Controls

Supervisory reviews may be performed through observation and inquiry or remotely.

Page 42: CISA REVIEW

CISA REVIEWChapter 2 – Compensating Controls

Independent reviews are carried out to compensate for mistakes or intentional failures in following prescribed procedures. These are particularly important when duties in a small organization cannot be appropriately segregated. Such reviews will help detect errors or irregularities.

Page 43: CISA REVIEW

CISA REVIEWChapter 2 – Compensating Controls

Instructions: Here are two categories and nine descriptions. Determine the appropriate category for each item. Categories Compensating controlsSegregated DutiesItems Audit trails Authorization Custody of the assets Exception reporting Independent reviews Reconciliation Recording transactions Supervisor reviews Transaction logs

Page 44: CISA REVIEW

CISA REVIEWChapter 2 – Compensating Controls

Answers Each category is followed by the appropriate items. Compensating Controls:Audit trails Reconciliation Exception reporting Transaction logs Supervisor reviews Independent reviewsSegregated Duties:Custody of the assets Authorization Recording transactions

Page 45: CISA REVIEW

CISA REVIEWChapter 2 – Risk Management

Effective IT governance will enable an organization to manage and execute appropriate measures to mitigate risks and reduce potential impacts on information resources to an acceptable level.

To achieve this level of risk management, an organization must maintain:

•A collective understanding of the organizations threat, vulnerability and risk profile consistent with the management's risk philosophy and position •An understanding of risk exposure and potential consequences of compromise including the regulatory, legal, operational and brand impacts •An awareness of risk management priorities based on potential consequences •Risk mitigation sufficient to achieve acceptable consequences from residual risk •Risk acceptance/deference based on an understanding of the potential consequences of residual risk

Page 46: CISA REVIEW

CISA REVIEWChapter 2 – Risk Management

Risk management is the process an organization must go through to:

•Identify any vulnerabilities and threats to its information resources •Decide on the countermeasures to take which may reduce any risk to an acceptable level

An organization must define its risk appetite and its identified risk exposure before it can develop effective risk management strategies or determine what roles and responsibilities are necessary.

Page 47: CISA REVIEW

CISA REVIEWChapter 2 – Risk Management

When an organization finds risk, depending on the type of risk and its significance to the business, management and the board have five options:

•Avoid the risk •Mitigate the risk •Transfer the risk •Accept the risk •Eliminate the risk

Page 48: CISA REVIEW

CISA REVIEWChapter 2 – Risk Management

Once risks have been identified, an organization must evaluate existing controls or develop new controls to reduce the vulnerabilities to an acceptable level of risk.

The strength of a control can be measured in terms of its inherent or design strength and the likelihood of its effectiveness. Elements of controls that should be considered when evaluating control strength include whether the controls are:

•Preventive or detective •Manual or programmed •Formal or ad hoc

Page 49: CISA REVIEW

CISA REVIEWChapter 2 – Risk Management

Once controls have been applied, any remaining risk is called residual risk. Residual risks can be used by management to identify those areas where they can reduce risk even further or where more control is required.

Page 50: CISA REVIEW

CISA REVIEWChapter 2 – Risk Management

Real World ExampleA small, growing bank was cited for noncompliance by a regulatory agency because its information security program did not have an independent review. It seems that although a review was performed, it was conducted by an operations officer because he had network administrative access and was the only individual with the expertise to complete the review.Think About It: Where is the lapse in effective IT governance in this situation?

Page 51: CISA REVIEW

CISA REVIEWChapter 2 – Risk Management

Answer: The actual risk here is the lack of segregation of duty. The operations officer with network administrative access is, by default, not independent because he or she has regular access to the system.

Think About ItWhat do you, as an IS audit expert, think could have been done to prevent this bank from being in this situation?

Page 52: CISA REVIEW

CISA REVIEWChapter 2 – Risk Management

Answer: If the bank had the proper IT organizational structure and resource management in place, including proper segregation of duties and duty controls, this situation may not have occurred.

Page 53: CISA REVIEW

CISA REVIEWChapter 2 – Process Improvement

Typically, organizations need to measure where they are and where improvement is required, and continuously monitor this improvement. Cost-benefit also needs to be considered along with the following questions:

•What are industry peers doing, and how is your organization placed in relation to them? •How is your organization placed with regard to industry good practices? •Based on these comparisons, can your organization be said to be doing enough? •How can your organization identify what is required to be done to reach an adequate level of management and control over its IT processes?

Page 54: CISA REVIEW

CISA REVIEWChapter 2 – Process Improvement

An organization has different levels of process maturity when compared to their peers. In order to assess their maturity level the organization should provide:

•A set of requirements and the enabling aspects at the different maturity levels •A scale where the difference can be made measurable•A scale that lends itself to comparison •The basis for setting as-is and to-be positions •Support for gap analysis to determine what needs to be done to achieve a chosen level •Taken together, a view of how IT is managed in the enterprise

Page 55: CISA REVIEW

CISA REVIEWChapter 2 – IT Balanced Scorecard

Goals and metrics that comprise the IT balanced scorecard can be defined at three levels:

•IT goals and metrics that define what the business expects from IT and how to measure it •Process goals and metrics that define what the IT process must deliver to support IT's objectives and how to measure it •Activity goals and metrics that establish what needs to happen inside the process to achieve the required performance and how to measure it

Page 56: CISA REVIEW

CISA REVIEWChapter 2 – IT Balanced Scorecard

Think About It: Why are measures so important?Answer: The value of metrics is in their ability to provide a factual basis for defining:• Strategic feedback to show the present status of the organization from many perspectives for the decision maker • Diagnostic feedback into various processes to guide improvements on a continuous basis • Trends in performance over time as the metrics are tracked • Feedback around the measurement methods themselves, and which metrics should be tracked • Quantitative inputs to forecasting methods and models for decision support systems

Page 57: CISA REVIEW

CISA REVIEWChapter 2 – IT Balanced Scorecard

Think About It: Why do you think measuring of IT performance should be a dynamic process?

It has to be a dynamic process because an organization must consider and account for the complex and changing business environments organizations have today. Accordingly, it can be misleading to program managers if they try and use traditional measurement to assess information technology's contribution to the organization's mission.

Page 58: CISA REVIEW

CISA REVIEWChapter 2 – HR

All organizations should have a variety of policies regarding human resource issues. Examples of these policies are training, scheduling and time reporting, employee performance evaluations, and required vacations.

•Training•Scheduling and Time Reporting•Employee Performance Evaluations•Vacations

Organizations should also have a published code of conduct that specifies all employees' responsibilities to the organization.

Page 59: CISA REVIEW

CISA REVIEWChapter 2 – HR

An IS auditor has several responsibilities when evaluating elements of IT human resource management and how it affects an organization's IT governance. These responsibilities include looking for indicators of potential staffing weaknesses or problems such as:

•High staff turnover •Inexperienced staff •Lack of succession plans •Lack of adequate training

Additionally, an IS auditor reviewing an organization's IT resource management should verify that job descriptions, human resource manuals, and organizational charts are in place, accurate and updated regularly.

Page 60: CISA REVIEW

CISA REVIEWChapter 2 – HR

Think About It: What are some reasons that HR and IT must work together in an organization seeking to achieve effective IT governance?

HR provides the link for the staffing and training component of the organization. This directly impacts the quality of the staff and the performance of IT duties. In order for HR personnel to effectively and accurately fill positions, they need to communicate closely with the IT department to obtain a clear understanding of ITs needs.Additionally, there is an ongoing need for HR involvement in the overall management of IT resources such as employee education and training, termination, compliance, and of course, overall IT governance.

Page 61: CISA REVIEW

CISA REVIEWChapter 2 – IT Resource Allocation

When developing an IS strategic plan, senior management is responsible for identifying cost-effective IT solutions to address the organization's problems and opportunities.

It is important that the strategic planning process encompasses not just the delivery of new systems and technology, but considers the returns being achieved from investments in existing technology. This can be done using the following:

•Considering the return on investment (ROI) and total cost of ownership for all endeavors •Understanding allocation practices •Effective budgeting •Change management

Page 62: CISA REVIEW

CISA REVIEWChapter 2 – IT Resource Allocation

What are the strategic issues that need to be addressed relative to value?

•A clear and shared understanding of the expected benefits •Clear accountability for realizing the benefits •Relevant metrics •An effective benefits realization process

Page 63: CISA REVIEW

CISA REVIEWChapter 2 – IT Resource Allocation

How do post implementation reviews impact value?

A post implementation review is a review of the implementation process against the methodology and budgeting of the project, and measuring the expected results against the success metrics. The IS auditor and the IT project team need to review results and develop steps for improvement.