Professional Documents
Culture Documents
Chap2 2007cisareviewcourse 090511232056 Phpapp02
Chap2 2007cisareviewcourse 090511232056 Phpapp02
Chapter 2
IT Governance
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 1
Chapter Overview
Corporate Governance
IT Governance
Information Systems Strategy
Policies and Procedures
Risk Management
Information Systems Management Practices
IS Organizational Structure and
Responsibilities
Auditing the Management, Planning
and Organization of IS
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 2
Chapter Objective
Ensure that the CISA candidate
understands and can provide assurance
that the organization has the structure,
policies, accountability mechanisms
and monitoring practices in place to
achieve the requirements of
corporate governance of IT.
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 3
Chapter Summary
According to the CISA Certification
Board, this Content Area will represent
approximately 15% of the CISA
examination.
(approximately 30 questions)
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 4
2.1 Corporate Governance
Ethical corporate behavior by directors or
others charged with governance in the
creation and presentation for all
stakeholders
Establishment of rules in managing and
reporting business risks
IT governance
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 5
Corporate Governance
Corporate governance is a set of
responsibilities and practices used by an
organizations management to provide
strategic direction, thereby ensuring that
goals are achievable, risks are properly
addressed and organizational resources are
properly utilized.
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 6
Corporate Governance
ITGI Best Practices for Corporate
Governance
IT governance is the responsibility of the board of
directors and executive management. It is an integral
part of enterprise governance and consists of the
leadership and organizational structures and
processes that ensure that the organizations IT
sustains and extends the organizations strategy and
objectives
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 7
2.2 Monitoring and Assurance Practices
for Board and Executive Management
IT Governance encompasses:
Information systems
Technology
Communication
IT Governance helps ensure the alignment of IT and enterprise
objectives.
Fundamentally IT governance is concerned with two issues
IT delivers value to the business
driven by strategic alignment of IT with the business
IT risks are mitigated
driven by embedding accountability into the
enterprise
IT Governance is the responsibility of the board of directors
and executive management
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 8
Chapter 2 Question
IT governance ensures that an
organization aligns its IT strategy with:
A. enterprise objectives.
B. IT objectives.
C. audit objectives.
D. control objectives.
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 9
Chapter 2 Question 8
An IS auditor should ensure that IT governance
performance measures,:
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 10
Monitoring and Assurance Practices for Board
and Executive Management
Performance
Measurement
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 11
Monitoring and Assurance Practices for Board
and Executive Management
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 12
Monitoring and Assurance Practices for Board and
Executive Management
IT Strategy committee
Is a mechanism for incorporating IT governance into
enterprise governance
As a committee of the board, it assists the board on
overseeing the enterprises IT related matters by
ensuring that the board has the internal and external
information IT requires for effective IT governance
decision making
Organizations have had steering committees at an
executive level to deal with IT issues that are relevant
organizationwide. There should be a clear
understanding of both the IT strategy and steering
levels. The ITGI issued a document where a clear
analysis is made between them.
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 13
Monitoring and Assurance Practices for Board
and Executive Management
Risk Management
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 14
Monitoring and Assurance Practices for Board
and Executive Management
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 15
Monitoring and Assurance Practices for Board
and Executive Management
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 16
Monitoring and Assurance Practices for Board
and Executive Management
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 17
Monitoring and Assurance Practices for
Board and Executive Management
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 18
Monitoring and Assurance Practices for
Board and Executive Management
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 19
Monitoring and Assurance Practices for
Board and Executive Management
Importance of Information Security
Governance
Information security (infosec) covers all
information processes, physical and
electronic, regardless of whether they
involve people and technology or
relationships with trading partners,
customers and third parties. Information
security is concerned with all aspects of
information and its protection at all points of
its life cycle within the organization.
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 20
Monitoring and Assurance Practices for
Board and Executive Management
Importance of Information Security
Governance
Effective information security can add
significant value to the organization by:
Providing greater reliance on interactions
with trading partners
Improved trust in customer relationships
Protecting the organizations reputation
Enabling new and better ways to process
electronic transactions
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 21
Monitoring and Assurance Practices for
Board and Executive Management
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 22
Monitoring and Assurance Practices for
Board and Executive Management
Boards of Directors/Senior
Management
Executive Management
Steering Committee
CISO
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 24
Monitoring and Assurance Practices for
Board and Executive Management
Enterprise Architecture
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 25
Monitoring and Assurance Practices for
Board and Executive Management
Enterprise Architecture
Basic Zachman Frameworks
Technology
Model
Detailed
Representation
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 26
Monitoring and Assurance Practices for Board
and Executive Management
Enterprise Architecture
The Federal Enterprise Arquitecture (FEA)
has a hierarchy of five reference models
Performance
Business
Service component
Technical
Data
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 27
2.3 Information Systems
Strategy
Strategic Planning
From an information systems standpoint it
relates to the long-term direction an
organization wants to take in leveraging
information technology for improving its
business processes.
Effective IT strategic planning involves a
consideration of the organizations demand
for IT and its IT supply capacity.
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 28
Information Systems Strategy
Steering Committee(s)
The organizations senior management should
appoint a planning or steering committee to
oversee the information systems function and
its activities. A high-level steering committee
for information technology is an important
factor in ensuring that the information systems
department is in harmony with the corporate
mission and objectives.
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 29
Information Systems Strategy
Planning / Steering Committee
Review Board for major IS projects
Steering Committee
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 30
Chapter 2 Question 9
Which of the following would be included in an
IS strategic plan?
A. Specifications for planned hardware
purchases
B. Analysis of future business objectives
C. Target dates for development projects
D. Annual budgetary targets for the IS
department
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 31
Chapter 2 Question 10
Which of the following BEST describes an IT
departments strategic planning process?
A. The IT department will have either short-range or
long-range plans depending on the organizations
broader plans and objectives.
B. The IT departments strategic plan must be time-
and project-oriented, but not so detailed as to address
and help determine priorities to meet business needs.
C. Long-range planning for the IT department should
recognize organizational goals, technological
advances and regulatory requirements.
D. Short-range planning for the IT department does
not need to be integrated into the short-range plans of
the organization, since technological advances will
drive the IT department plans much quicker than
organizational plans.
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 32
2.4 Policies and Procedures
Policies
High level
Low level
Procedures
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 33
Policies and Procedures
Policies
Policies are high-level documents. They
represent the corporate philosophy of an
organization and the strategic thinking of
senior management and the business
process owners. To be effective, they must be
clear and concise.
Policies are rule of the road They are part
of the fundamental documentation for internal
control systems.
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 34
Policies and Procedures
Information Security Policy
Information security policy provides
management the direction and support for
information security in accordance with
business requirements and relevant laws and
regulations. Management should set a clear
policy direction in line with business
objectives and demonstrate support for and
commitment to information security through
the issuance and maintenance of an
information security policy for the
organization.
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 35
Policies and Procedures
Information Security Policy Document
Definition of information security
Statement of management intent
Framework for setting control objectives
Brief explanation
Definition of responsibilities
References to documentation
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 36
Policies and Procedures
Review of Information Security Policy
Input of management review
Feedback from interested parties
Results of independent reviews
Status of preventive and corrective actions
Results of previous management reviews
Process performance and information security policy compliance
Changes that could affect the organizations approach to managing
information security, including changes to the organizational
environment; business circumstances; resource availability;
contractual, regulatory and legal conditions; or technical
environment
Trends related to threats and vulnerabilities
Reported information security incidents
Recommendations provided by relevant authorities
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 37
Policies and Procedures
Review of Information Security Policy
Output from management review
Improvement of the organizations
approach to managing information security
and its processes
Improvement of control objectives and
controls
Improvement in the allocation of resources
and/or responsibilities
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 38
Policies and Procedures
Procedures
Procedures are detailed documents.
They must be derived from the parent
policy and must implement the spirit
(intent) of the policy statement.
Procedures must be written in a clear
and concise manner, so they may be
easily and properly understood by those
governed by them.
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 39
2.5 Risk Management
The process of identifying vulnerabilities and
threats to the information resources used by
an organization in achieving business
objectives
A summary of this concept is shown in the
following equation:
Total risk = Threats x Vulnerability x Asset
value
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 40
Risk Management
Developing a Risk Management Program
Establish the purpose of the risk
management program
Assign responsibility for the risk
management plan
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 41
Risk Management
Risk Management Process
Identification and classification of
information resources or assets that need
protection
Assess threats and vulnerabilities and the
likelihood of their occurrence Identification
and classification of information resources
or assets that need protection
Assess threats and vulnerabilities and the
likelihood of their occurrence
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 42
Risk Management
IT risk management needs to operate at
multiple levels including:
Operation: risks that could compromise the
effectiveness of IT systems and supporting
infrastructure
Project: risks management needs to focus on the
ability to understand and manage project complexity
Strategic: the risk focus shifts to considerations such
as how well the IT capability is aligned with the
business strategy
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 43
Risk Management
Risk Analysis Methods:
Qualitative and Quantitative
Are the simplest and most frequently used
Are based on checklist and subjective risk ratings
Semiquantitative Analysis Methods
the descriptive rankings are associated with a numerical scale.
Such methods are frequently used when it is not possible to utilize a
quantitative method or to reduce subjectivity in qualitative methods.
Quantitative Analysis Methods
it uses numerical values to describe the likelihood and impacts of
risks, using data from several types of sources, such as historic
records, past experiences, industry practices and records, statistical
theories, testing, and experiments.
Probability and expectancy
Are based on classical statistical theories of probability and
expectancy
Annual loss expectancy method
Simplifies the assigment of value and probability in a
manner that is easier to quantify.
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 44
Risk Management
Management and IS auditors should keep in
mind certain considerations:
Should be applied to IT functions company wide
Is a senior management responsibility
Quantitative RM is preferred over qualitative approaches
Quantitative RM always face the challenge of estimating risks
Quantitative RM provides more objective assumptions
The real complexity or the apparent sophistication of the
methods or packaged used should not be a substitute
commonsense or professional diligence
Special care should be given to very high impact events, even if
there probability of occurrence over time is very low.
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 45
2.6 IS Management Practices
Personnel Management
Hiring practices
Employee handbook
Promotion policies
Training
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 46
IS Management Practices
Personnel Management
Scheduling and time reporting
Employee performance evaluations
Required vacations
Termination policies
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 47
IS Management Practices
Outsourcing Practices (Service Level
Agreements)
Reasons for embarking on outsourcing
Services provided by a third party
Possible advantages
Possible disadvantages and business risks
Means of reduction of business risks
Service Level Agreements
Audit/security concerns
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 48
IS Management Practices
Strategies in Audit of Outsourcing
Third Party Audit Report
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 49
IS Management Practices
Capacity and growth planning
Given the strategic importance of IT in
companies and the constant change in
technology, capacity and growth planning are
essential. This activity must be reflective of
the long- and short-range business plans and
must be considered within the budgeting
process.
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 50
IS Management Practices
Third-party Service Delivery
Management
Service delivery
Monitoring and review
Managing changes
Service improvement and user satisfaction
Industry Standards/Benchmarking
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 51
IS Management Practices
Organizational Change management
Change management is managing IT
changes for the organization, where a
defined and documented process exists to
identify and apply technology
improvements at the infrastructure and
application(s) level that are beneficial to
the organization and involving all levels of
the organization impacted by the changes.
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 52
IS Management Practices
Financial Management Practices
Financial management is a critical
element of all business functions. In a
cost-intensive computer environment, it
is imperative that sound financial
management practices be in place.
user-pays scheme
chargeback
IS Budgets
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 53
IS Management Practices
Quality Management
Software development, maintenance and
implementation
Acquisition of hardware and software
Day-to-day operations
Security
Human resource management
General administration
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 54
IS Management Practices
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 55
IS Management Practices
Information Security Management
Performance Optimization
The broad phases of performance measurement:
Establishing and updating performance measures
Establishing accountability for performance measures
Gathering and analyzing performance data
Reporting and using performance information
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 56
2.7 IS Organizational Structure and
responsibilities
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 57
IS Organizational Structure
and Responsibilities
IS Roles & Responsibilities
Systems Development Manager
Help Desk
End user
Data management
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 58
IS Organizational Structure
and Responsibilities
IS Roles & Responsibilities
Control group
Media management
Data entry
Systems administration
Security administration
Quality assurance
Database administration
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 59
IS Organizational Structure
and Responsibilities
IS Roles & Responsibilities
Systems analysis
Security Architect
Application programming
Systems programming
Network management
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 60
IS Organizational Structure
and Responsibilities
Segregation of Duties Within IS
Avoids possibility of errors or
misappropriations
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 61
IS Organizational Structure and
Responsibilities
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 62
Chapter 2 Question 2
Which of the following tasks may be performed by the
same person in a well-controlled information
processing computer center?
A. Security administration and change management
B. Computer operations and system development
C. System development and change management
D. System development and systems maintenance
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 63
Chapter 2 Question 3
Which of the following is the MOST
critical control over database
administration?
A. Approval of DBA activities
B. Segregation of duties
C. Review of access logs and activities
D. Review of the use of database tools
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 64
Chapter 2 Question 4
The MOST important responsibility of a data
security officer in an organization is:
A. recommending and monitoring data security
policies.
B. promoting security awareness within the
organization.
C. establishing procedures for IT security
policies.
D. administering physical and logical access
controls.
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 65
Chapter 2 Question 5
When a complete segregation of duties cannot
be achieved in an online system environment,
which of the following functions should be
separated from the others?
A. Origination
B. Authorization
C. Recording
D. Correction
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 66
Chapter 2 Question 6
In a small organization, where segregation of
duties is not practical, an employee performs the
function of computer operator and application
programmer. Which of the following controls should
the IS auditor recommend?
A. Automated logging of changes to development libraries
B. Additional staff to provide segregation of duties
C. Procedures that verify that only approved program
changes are implemented
D. Access controls to prevent the operator from making
program modifications
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 67
Chapter 2 Question 7
Which of the following is MOST likely to
be performed by the security
administrator?
A. Approving the security policy
B. Testing application software
C. Ensuring data integrity
D. Maintaining access rules
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 68
IS Organizational Structure
and Responsibilities
Segregation of Duties Controls
Transaction authorization
Custody of assets
Access to data
Authorization forms
User authorization tables
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 69
IS Organizational Structure
and Responsibilities
Compensating controls for Lack of
Segregation of Duties
Audit trails
Reconciliation
Exception reporting
Transaction logs
Supervisory reviews
Independent reviews
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 70
2.8 Auditing IT Governance Structure
and Implementation
Indicators of potential problems include:
Unfavorable end-user attitudes
Excessive costs
Budget overruns
Late projects
High staff turnover
Inexperienced staff
Frequent hardware/software errors
An excessive backlog of user requests
Slow computer response time
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 71
Auditing IT Governance Structure
and Implementation
Indicators of potential problems include
(cont.):
Numerous aborted or suspended development projects
Unsupported or unauthorized hardware/software purchases
Frequent hardware/software upgrades
Extensive exception reports
Exception reports that were not followed up on
Poor motivation
Lack of succession plans
A reliance on one or two key personnel
Lack of adequate training
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 72
Auditing IT Governance Structure
and Implementation
Reviewing Documentation
Reviewing Contractual Commitments
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 73
Auditing IT Governance Structure
and Implementation
Reviewing Documentation
IT strategies, plans and budgets
Security policy documentation
Organization / functional charts
Job descriptions
Steering committee reports
Systems development and program change procedures
Operations procedures
Human resource manuals
Quality assurance procedures
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 74
Auditing IT Governance Structure
and Implementation
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 75
2.9 Case Study
IS Auditor review draft of outsourcing contract and SLA and recommend changes
prior ti thees being sent to senior management approval
Agreement includes outsourcing support of windows and unix server administration and
network management to third party
Server will be relocated to outsourcer facility in another country, Internet connect
Operating software will be upgraded on a semiannual basis, but not escrowed
Requests for change user account will be processed within three business days
Intrusion detection software will be continously monitored by outsourcer, customer
notified anomalies by e_mail
New employees hired within last three years, prior no policy present
Right to audit clause is in place, 24-hour notice is required to onsite visit
If Outsorcer found to be in violation of contract, it will have 10 business days to correct
deficiency
Outsorcer does not have IS auditor, but audited by regional public accounting firm
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 76
Chapter 2: Case study Question 1
Which of the following should be of MOST concern to the IS
auditor?
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 77
Chapter 2: Case study Question 2
Which of the following would be the MOST significant issue to address if
the servers contain personally identifiable customer information that is
regularly accessed and updated by end users?
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 2 - Pag - 78