Task 2.8 Key Terms: CISA Review Course 26 Edition Domain 2: Governance and Management of IT

CISA Review Course 26th Edition Domain 2: Governance and
Management of IT
Task 2.8 Key Terms

Key Term Definition
Continuous auditing This approach allows IS auditors to monitor system
approach reliability on a continuous basis and to gather selective
audit evidence through the computer.
Evaluate IT management and monitoring Control The means of managing risk, including policies,
of controls (e.g., continuous monitoring procedures, guidelines, practices or organizational
structures, which can be of an administrative, technical,
and quality assurance [QA]) for management or legal nature. Also used as a synonym
for safeguard or countermeasure.
compliance with the organization’s Quality assurance A planned and systematic pattern of all actions
policies, standards and procedures. necessary to provide adequate confidence that an item
or product conforms to established technical
requirements. (ISO/IEC 24765)
113 © Copyright 2016 ISACA. All rights reserved. 114 © Copyright 2016 ISACA. All rights reserved.
Task to Knowledge Statements Task to Knowledge Statements (cont’d)
How does Task 2.8 relate to each of the following How does Task 2.8 relate to each of the following
knowledge statements? knowledge statements?
Knowledge Statement Connection Knowledge Statement Connection
K2.6 Knowledge of the processes for Impact of legislative requirements on K2.13 Knowledge of quality Understanding of structures, roles and
the development, implementation and organization’s standards, policies, management and quality assurance responsibilities of the QA function with
maintenance of IT strategy, policies, procedures and processes (QA) systems the enterprise and the use of key
standards and procedures performance indicators (KPIs) in
K2.7 Knowledge of the use of Understanding management driving performance optimization for
capability and maturity models techniques to continuously improve IT effective IT governance
performance K2.14 Knowledge of practices for Concepts related to establishing,
K2.8 Knowledge of process Role of quality management in monitoring and reporting of IT monitoring and reporting processes
optimization techniques bridging the gap between current performance (e.g., balanced needed by the governance team to
state and desired state scorecards [BSCs] and key evaluate performance and provide
performance indicators [KPIs]) direction to senior management
© 2016. ISACA. All Rights Reserved. 29

Management of IT
Process Maturity Frameworks The PDCA Method

Maintaining consistency, efficiency and effectiveness of IT
processes requires the implementation of a process maturity
framework.
Several different models may be encountered in
organizations, including: • Establish Do • Study results Act
objectives and from the “Do”
• Implement the • Analyze
o COBIT Process Assessment Model (PAM) — defines the processes
plan, collecting
step, looking for
deviations and
needed to deliver deviations from
minimum requirements for conducting an assessment to desired results. data for charting
and analysis.
desired results. request corrective
actions.
ensure reliable results
o IDEAL model — designed to guide the planning and
Plan Check
implementation of effective software improvement
o CMMI — provides the essential elements of effective
processes; used as a guide to process improvement
across a project, division or organization
Quality Management Indicators of Problems

The development and maintenance of defined and
documented IT quality management processes is
Unfavorable
evidence of effective GEIT. end-user Excessive costs Budget overruns
Quality management defines a set of tasks that produce attitudes
desired results when properly performed.
Various standards provide guidelines for the governance High staff Inexperienced
of quality management, including those in ISO/IEC Late payments
turnover staff
27000.
The IS auditor should be aware of quality management.
Frequent Excessive
However, the CISA exam does not test specifics on any hardware or backlog of user
Slow computer
ISO standards. response time
software errors requests

Management of IT
Indicators of Problems (cont’d) Reviewing Documentation

During an IS audit, these documents should be reviewed:
Numerous Unsupported Frequent o IT strategies, plans and budgets
suspended hardware/ hardware/ o Security policy documentation
development software software
projects purchases purchases o Organization/functional charts and job descriptions
o IT steering committee reports
Extensive Low follow-up o System development and program change procedures
exception on exception Poor motivation o Operations procedures
reports reports
o HR manuals
o QA procedures
Absence of Overreliance on Lack of
succession one or two key adequate It should be determined whether these documents:
plans people training o Were created as management authorized and intended
o Are current and up to date
Reviewing Contracts In the Big Picture

Each of the various phases of computer hardware,
software and IT service contracts should be supported
by service contracts.
The IS auditor should: The Big
o Verify management participation in the contracting Task 2.8 Picture
Evaluate IT management and As a foundation to proper
process. monitoring of controls (e.g., continuous governance of enterprise
monitoring and quality assurance [QA]) IT, the IS auditor needs to
o Ensure the presence of timely contract compliance for compliance with the organization’s see how management is
review. policies, standards and procedures. measuring compliance
with policies and
o Evaluate the adequacy of various contract terms and regulations.
conditions.
o Be familiar with the request for proposal (RFP)
process.

Management of IT
Discussion Question Discussion Question

An IS auditor is performing a review of the software quality When developing a formal enterprise security program, the
management process in an organization. The FIRST step MOST critical success factor (CSF) would be the:
should be to: A. establishment of a review board.
A. verify how the organization follows the standards. B. creation of a security unit.
B. identify and report the controls currently in place. C. effective support of an executive sponsor.
C. review the metrics for quality evaluation. D. selection of a security process owner.
D. request all standards that have been adopted by the
organization.
Task 2.9 Key Terms

Key Term Definition
Key performance A measure that determines how well the process is
indicator (KPI) performing in enabling the goal to be reached. A
lead indicator of whether a goal will likely be
Evaluate monitoring and reporting of IT reached, and a good indicator of capabilities,
practices and skills. It measures an activity goal,
key performance indicators (KPIs) to which is an action that the process owner must
determine whether management receives take to achieve effective process performance.
sufficient and timely information.

Management of IT
Task to Knowledge Statements Task to Knowledge Statements (cont’d)
How does Task 2.9 relate to each of the following How does Task 2.9 relate to each of the following
knowledge statements? knowledge statements?
Knowledge Statement Connection Knowledge Statement Connection
K2.10 Knowledge of IT supplier Relationship between vendor K2.14 Knowledge of practices for Understanding and using concepts
selection, contract management, management and contractual monitoring and reporting of IT and techniques related to
relationship management and terms and their impact on driving performance (e.g., balanced establishing, monitoring and
performance monitoring IT governance of the outsourcing scorecards [BSCs] and key reporting processes needed by the
processes, including third-party entity performance indicators [KPIs]) governance team to evaluate
outsourcing relationships performance and provide direction
K2.11 Knowledge of enterprise Risk analysis methods used in to senior management
risk management (ERM) aligning ERM with the results from
monitoring and reporting of IT
KPIs
Financial Management Performance Optimization

The IS budget allows for an adequate allocation of funds Performance optimization is the process of improving
and for forecasting, monitoring and analyzing financial both perceived service performance while bringing IS
information. productivity to the highest level possible.
The budget should be linked to short- and long-range IT Ideally, this productivity will be gained without excessive
plans. additional investment in the IT infrastructure.
A “user-pays” scheme can improve application and Effective performance measures are used to create and
monitoring of IS expenses and resources. facilitate action to improve both performance and GEIT.
o In this arrangement, end users are charged for costs These depend upon:
of IS services they receive. o The clear definition of performance goals
o These charges are based on a standard formula and o The establishment of effective metrics to monitor goal
include such IS services as staff time, computer time achievement
and other relevant costs.

Management of IT
Tools and Techniques Tools and Techniques (cont’d)

Several tools and techniques can be employed to • A quantitative process analysis, defect reduction and
Six Sigma improvement approach
facilitate performance measurement, ensure good
communication and support organizational change. IT BSC • A process management evaluation technique that can be
effectively applied to assess IT functions and processes
These include:
• A measure that determines how well a process is
o Six Sigma KPI performing in enabling a goal to be reached
o IT BSC
• A systematic approach to comparing enterprise
Benchmarking
o KPIs performance against competitors to learn methods
o Benchmarking BPR • The thorough analysis and redesign of business processes

to establish a better performing structure with cost savings
o Business process reengineering (BPR)
• The process of diagnosis to establish the origins of events
o Root cause analysis Root Cause Analysis so that controls can be developed to address these causes
o Life cycle cost-benefit analysis • Assessment of life cycle, life cycle cost and benefit analysis
Life Cycle Cost-benefit to determine strategic direction for IT systems
In the Big Picture Discussion Question

While reviewing a quality management system (QMS) the
IS auditor should PRIMARILY focus on collecting evidence
to show that:
The Big A. quality management systems (QMSs) comply with
Task 2.9 Picture good practices.
Evaluate monitoring and reporting of IT Only through timely,
key performance indicators (KPIs) to objective measurement B. continuous improvement targets are being
determine whether management processes can the IS monitored.
receives sufficient and timely auditor truly determine if
information. management has the C. standard operating procedures of IT are updated
relevant information to
manage GEIT.
annually.
D. key performance indicators (KPIs) are defined.

Management of IT
Discussion Question Task 2.10

Before implementing an IT balanced scorecard (BSC), an
organization must:
A. deliver effective and efficient services. Evaluate the organization’s business
B. define key performance indicators. continuity plan (BCP), including the
C. provide business value to IT projects. alignment of the IT disaster recovery plan
D. control IT expenses. (DRP) with the BCP, to determine the
organization’s ability to continue
essential business operations during the
period of an IT disruption.
Key Terms Task to Knowledge Statements

Key Term Definition How does Task 2.10 relate to each of the following
Business continuity Preventing, mitigating and recovering from disruption. knowledge statements?
The terms “business resumption planning,” “disaster
recovery planning” and “contingency planning” also may Knowledge Statement Connection
be used in this context. They focus on recovery aspects K2.11 Knowledge of enterprise risk Understanding both the organizational
of continuity, and for that reason the “resilience” aspect management (ERM) risk appetite and cost-benefit analysis,
should also be taken into account. where the risk appetite is not
Business continuity A plan used by an enterprise to respond to disruption of exceeded and the benefits derived
plan (BCP) critical business processes; depends on the contingency from the risk mitigation do not exceed
plan for restoration of critical systems. the cost of the control
Disaster recovery A set of human, physical, technical and procedural K2.15 Knowledge of business impact Understanding the BIA as a key driver
plan (DRP) resources to recover, within a defined time and cost, an analysis (BIA) of the BCP/disaster recovery process
activity interrupted by an emergency or disaster.

Management of IT
Task to Knowledge Statements (cont’d) Policy Management

How does Task 2.10 relate to each of the following The management of information security ensures that an
knowledge statements? organization’s information and the resources used to
process the information are properly protected.
Knowledge Statement Connection
K2.16 Knowledge of the standards Understanding the life cycle of
An information security program is established through:
and procedures for the development, BCP/DRP development and o Assessing the risk to IT assets
maintenance and testing of the maintenance
business continuity plan (BCP) o Mitigating the risk to a level determined by
K2.17 Knowledge of procedures used Understanding how the BIA defines management
to invoke and execute the business the triggers to initiate the various o Monitoring remaining residual risk
continuity plan and return to normal actions within the BCP/DRP
operations
Policy Management (cont’d) Business Continuity Planning

Information security management programs include the In the event of a disruption of normal business
development of the following, as related to IT department operations, BCP and DRP can allow critical processes to
functions in support of critical business processes: carry on.
o BIA Responsibility for the BCP rests with senior
o BCP management, but its execution usually lies with business
o DRP and supporting units.
The plan should address all functions and assets that will
be required to continue as a viable operation
immediately after encountering an interruption and while
recovery is taking place.

Management of IT
Disaster Management The BCP and DRP

An IT DRP is a structured collection of processes and The DRP is a part of the BCP.
procedures designed to speed response and ensure It outlines the restoration plan that will be used to return
business continuity in the event of a disaster. operations to a normal state.
Various roles and responsibilities for teams are defined In general, a single integrated plan is recommended to
in the DRP. ensure that:
The IS auditor should have knowledge of team o Coordination between various plan components
responsibilities, which are likely to vary from organization supports response and recovery.
to organization. o Resources are used in the most effective way.
o Reasonable confidence can be maintained that the
enterprise will survive a disruption.
IT BCP BCP Process

IT service continuity is often critical to the The BCP process can be divided into life cycle phases, as shown here.
organization, and developing and testing an Business Continuity Planning Life Cycle
information system BCP/DRP is a major component Project Planning BC Plan Monitoring, BC
Maintenance and Plan
of enterprise-wide continuity planning. (BC Policy, Project
Scope) Updating Testing
Points of vulnerability are identified and considered BC

Awareness
during the risk assessment process. Risk Assessment
Training
and Analysis
The potential for harm from these can be quantified
through a BIA. BC
Plan
Development
Business
BC Strategy
Impact
Development Strategy
Analysis
Execution (Risk
Countermeasures
Implementation)
Source: ISACA, CISA Review Manual 26th Edition, figure 2.14

Management of IT
Disasters and Disruptions Business Continuity Policy

Disasters are likely to require recovery efforts to A business continuity policy should be proactive,
restore the operational status of information resources. delivering the message that all possible controls to both
Categories of disasters include: detect and prevent disruptions should be used.
o Natural calamities The policy is a document approved by top management;
o Pandemics, epidemics or other infectious outbreaks it serves several purposes:
o Utility disruptions o It carries a message to internal stakeholders that the
o Actions by humans, whether intentionally harmful or organization is committed to business continuity.
through error o As a statement to the organization, it empowers those
o Hardware or software malfunctions who are responsible for business continuity.
o Incidents causing damage to image, reputation or o It communicates to external stakeholders that
brand obligations, such as service delivery and compliance,
Some events are unforeseeable. These are referred to are being taken seriously.
as “black swan” events.
Incident Mitigation BCP Incident Management

By their nature, incidents and crises often unfold dynamically
Incident and Impact Relationship Diagram and rapidly in unforeseeable directions.
Management of such situations requires a proactive approach
Reduce the Likelihood Mitigate the Consequences and supporting documentation.
Infrastructure
Monitoring
All incidents should be classified at one of the following levels:
Capacity
Management
Detective
Controls
Backup and
Recovery o Negligible — causing no perceptible damage
Incident
Management (Help
o Minor — producing no negative financial or material impact
BCP or IT
Desk)
Controls (Risk Corrective

DRP
o Major — causing a negative material impact on business
Countermeasure) Controls Special Clauses
processes; possible effects on other systems, departments
Spare Processing
Site
in
Vendor/Supplier or outside stakeholders
Contracts
Risk
Management
Preventive o Crisis — resulting in serious material impact on the
Configuration
Controls UPS or Power
Generator continued functioning of the enterprise and its
Management
stakeholders
Note that the classification of an incident can change as
events proceed.
Source: ISACA, CISA Review Manual 26th Edition, figure 2.15

Management of IT
BCP Plan Components Plan Testing

• The BCP should include: The critical components of a BCP should be tested
under simulated conditions to accomplish objectives
such as these:
Continuity of Disaster recovery Business o Verify the accuracy of the BCP.
operations plan plan resumption plan
o Evaluate the performance of involved personnel.
o Evaluate coordination among response team
• It may also include: members and external parties.
IT contingency
Crisis
communications
Incident Transportation o Measure the ability and capacity of any backup site to
plan response plan plan
plan perform as expected.
Assessing the results and value of the BCP tests is an
Occupant
emergency plan
Evacuation plan
Emergency
relocation plan
important responsibility for the IS auditor.
Auditing Business Continuity BCP Audit Review

When auditing business continuity, the IS auditor must
complete a number of tasks, for example:
o Understanding the connections between BCP and 1. Review the BCP document.
business objectives
o Evaluating the BCP and determining its adequacy 2. Review the applications covered by
and currency the BCP.
o Verifying BCP effectiveness through a review of plan 3. Review the business continuity
testing teams.
o Evaluating cloud-based mechanisms and offsite
storage 4. Test the plan.
o Assessing the ability of personnel to respond
effectively in the event of an incident

Management of IT
BCP Audit Evaluation In the Big Picture
Evaluate offsite Evaluate key

Evaluate prior storage facilities, personnel The Big
Task 2.10
test results including through Evaluate the organization’s business Picture
security controls interviews continuity plan (BCP), including the The IS auditor needs to
alignment of the IT disaster recovery only evaluate the content
plan (DRP) with the BCP, to determine of the DRP and BCP to
Evaluate the the organization’s ability to continue determine if these
Evaluate essential business operations during processes will return the
alternative
insurance the period of an IT disruption. business to normal
processing operations.
coverage
contract

During a review of a business continuity plan, an IS auditor An IS auditor is reviewing an organization’s recovery from a
noticed that the point at which a situation is declared to be disaster in which not all the critical data needed to resume
a crisis has not been defined. The MAJOR risk associated business operations were retained. Which of the following
with this is that: was incorrectly defined?
A. assessment of the situation may be delayed. A. The interruption window
B. execution of the disaster recovery plan could be B. The recovery time objective (RTO)
impacted. C. The service delivery objective (SDO)
C. notification of the teams might not occur. D. The recovery point objective (RPO)
D. potential crisis recognition might be delayed.

Management of IT
Domain 2 Summary Domain 2 Summary (cont’d)

Evaluation of the IT strategy life cycle Evaluation of IT portfolio management
Evaluation of the effectiveness of the IT governance Evaluation of risk management practices
structure Evaluation of IT management and monitoring of
Evaluation of the IT organizational structure and controls
human resources (personnel) management Evaluation of monitoring and reporting of IT KPIs
Evaluation of the organization’s IT policies, standards Evaluation of the organization’s business continuity
and procedures life cycle plan
Evaluation of IT resource management The importance of a BCP, including the alignment of
the IT DRP with the BCP

When auditing the IT governance framework and IT risk To optimize an organization’s BCP, an IS auditor
management practices that exist within an organization, the should recommend a BIA to determine:
IS auditor identified some undefined responsibilities A. the business processes that generate the most
regarding IT management and governance roles. Which of financial value for the organization and,
therefore, must be recovered first
the following recommendations is the MOST appropriate?
B. the priorities and order for recovery to ensure
A. Review the strategic alignment of IT with the business. alignment with the organization’s business
B. Implement accountability rules within the organization. strategy
C. Ensure that independent IS audits are conducted C. the business processes that must be recovered
periodically. following a disaster to ensure the organization’s
survival
D. Create a chief risk officer (CRO) role in the organization.
D. the priorities and order of recovery, which will
recover the greatest number of systems in the
shortest time frame

Task 2.8 Key Terms: CISA Review Course 26 Edition Domain 2: Governance and Management of IT

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Task 2.8 Key Terms: CISA Review Course 26 Edition Domain 2: Governance and Management of IT

Uploaded by

Copyright:

Available Formats

CISA Review Course 26th Edition Domain 2: Governance and

Task 2.8 Key Terms

Task to Knowledge Statements Task to Knowledge Statements (cont’d)

© 2016. ISACA. All Rights Reserved. 29

Process Maturity Frameworks The PDCA Method

Quality Management Indicators of Problems

© 2016. ISACA. All Rights Reserved. 30

Indicators of Problems (cont’d) Reviewing Documentation

Reviewing Contracts In the Big Picture

© 2016. ISACA. All Rights Reserved. 31

Discussion Question Discussion Question

Task 2.9 Key Terms

sufficient and timely information.

© 2016. ISACA. All Rights Reserved. 32

Task to Knowledge Statements Task to Knowledge Statements (cont’d)

Financial Management Performance Optimization

© 2016. ISACA. All Rights Reserved. 33

Tools and Techniques Tools and Techniques (cont’d)

o Benchmarking BPR • The thorough analysis and redesign of business processes

In the Big Picture Discussion Question

© 2016. ISACA. All Rights Reserved. 34

Discussion Question Task 2.10

Key Terms Task to Knowledge Statements

© 2016. ISACA. All Rights Reserved. 35

Task to Knowledge Statements (cont’d) Policy Management

Policy Management (cont’d) Business Continuity Planning

© 2016. ISACA. All Rights Reserved. 36

Disaster Management The BCP and DRP

IT BCP BCP Process

 Points of vulnerability are identified and considered BC

Source: ISACA, CISA Review Manual 26th Edition, figure 2.14

© 2016. ISACA. All Rights Reserved. 37

Disasters and Disruptions Business Continuity Policy

Incident Mitigation BCP Incident Management

Controls (Risk Corrective

Source: ISACA, CISA Review Manual 26th Edition, figure 2.15

© 2016. ISACA. All Rights Reserved. 38

BCP Plan Components Plan Testing

Auditing Business Continuity BCP Audit Review

© 2016. ISACA. All Rights Reserved. 39

BCP Audit Evaluation In the Big Picture

Evaluate offsite Evaluate key

Discussion Question Discussion Question

© 2016. ISACA. All Rights Reserved. 40

Domain 2 Summary Domain 2 Summary (cont’d)

Discussion Question Discussion Question

© 2016. ISACA. All Rights Reserved. 41

You might also like

Points of vulnerability are identified and considered BC