1 of 84

ISACA ®

The recognized global

leader in IT governance,
control, security and
assurance
 2 of 84

2010 CISA Review Course

Chapter 2
IT Governance
 3 of 84

Course Agenda

• Learning Objectives
• Discuss Task and Knowledge Statements
• Discuss specific topics within the chapter
• Case studies
• Sample questions
 4 of 84

Exam Relevance

Ensure that the CISA candidate…

Understands and can provide assurance that the organization has
the structure, policies, accountability mechanisms and monitoring
practices in place to achieve the requirements of corporate
governance of IT.
% of Total Exam Questions

The content area in this chapter will Chapter 6 Chapter 1

represent approximately 15% of 14% 10%
Chapter 2
the CISA examination 15%
(approximately 30 questions). Chapter 5
31% Chapter 3
16%
Chapter 4
14%
 5 of 84

Chapter 2 Learning
Objectives

• Evaluate the effectiveness of IT governance structure

to ensure adequate board control over the decisions,
directions and performance of IT, so it supports the
organization's strategies and objectives
• Evaluate IT organizational structure and human
resources (personnel) management to ensure that
they support the organization's strategies and
objectives
• Evaluate the IT strategy and process for their
development, approval, implementation and
maintenance to ensure that they support the
organization's strategies and objectives
 6 of 84

Chapter 2 Learning
Objectives (continued)

• Evaluate the organization's IT policies, standards,

procedures and processes for their development,
approval, implementation and maintenance to ensure
that they support the IT strategy and comply with
regulatory and legal requirements
• Evaluate management practices to ensure compliance
with the organization's IT strategy, policies, standards
and procedures
• Evaluate IT resource investment, use and allocation
practices to ensure alignment with the organization's
strategies and objectives
 7 of 84

Chapter 2 Learning
Objectives (continued)

• Evaluate IT contracting strategies and policies and

contract management practices to ensure that they
support the organization's strategies and objectives
• Evaluate risk management practices to ensure that the
organization's IT-related risks are properly managed
• Evaluate monitoring and assurance practices to ensure
that the board and executive management receive
sufficient and timely information about IT performance
 8 of 84

2.2 Corporate Governance

• Ethical corporate behavior by directors or others

charged with governance in the creation and
presentation of value for all stakeholders
• The distribution of rights and responsibilities among
different participants in the corporation, such as board,
managers, shareholders and other stakeholders
• Establishment of rules to manage and report on
business risks
 9 of 84

2.3 IT Governance

• Comprises the body of issues addressed in

considering how IT is applied within the
enterprise.
• Effective enterprise governance focuses on:
– Individual and group expertise
– Experience in specific areas
• Key element: alignment of business and IT
 10 of 84

2.3 IT Governance (continued)

Two issues:
1. IT delivers value to the business
2. IT risks are managed
 11 of 84

Practice Question

2-1 IT governance ensures that an

organization aligns its IT strategy with:
A. enterprise objectives.
B. IT objectives.
C. audit objectives.
D. control objectives.
 12 of 84
2.4 Information Technology
Monitoring and Assurance
Practices for Management
IT governance implies a system where all
stakeholders provide input into the decision
making process:
•Board
•Internal customers
•Finance
 13 of 84

2.4.1 Best Practices for IT

Governance
 14 of 84

2.4.1 Best Practices for IT

Governance (continued)

IT governance has become significant due to:

• Demands for better return from IT investments
• Increases in IT expenditures
• Regulatory requirements for IT controls
• Selection of service providers and outsourcing
• Complexity of network security
• Adoptions of control frameworks
• Benchmarking
 15 of 84

2.4.1 Best Practices for IT

Governance (continued)

Audit role in IT governance

• Audit plays a significant role in the successful
implementation of IT governance within an
organization
• Reporting on IT governance involves auditing at the
highest level in the organization and may cross
division, functional or departmental boundaries
 16 of 84

2.4.1 Best Practices for IT

Governance (continued)

• In accordance with the defined role of the IS auditor,

the following aspects related to IT governance need
to be assessed:
– The IS function’s alignment with the organization’s mission,
vision, values, objectives and strategies
– The IS function’s achievement of performance objectives
established by the business (effectiveness and efficiency)
– Legal, environmental, information quality, and fiduciary and
security requirements
– The control environment of the organization
– The inherent risks within the IS environment
 17 of 84

2.4.2 IT Strategy Committee

• The creation of an IT strategy committee is an industry

best practice
• Committee should broaden its scope to include not only
advice on strategy when assisting the board in its IT
governance responsibilities, but also to focus on IT
value, risks and performance
18 of 84
 19 of 84

2.4.3 Standard
IT Balanced Scorecard

• A process management evaluation technique that can be

applied to the IT governance process in assessing IT
functions and processes
• Method goes beyond the traditional financial evaluation
• One of the most effective means to aid the IT strategy
committee and management in achieving IT and
business alignment
 20 of 84

2.4.4 Information
Security Governance

• Focused activity with specific value drivers

– Integrity of information
– Continuity of services
– Protection of information assets
• Integral part of IT governance
• Importance of information security governance
 21 of 84

2.4.4 Information Security

Governance (continued)

Importance of information security governance

• Information security (Infosec) covers all information
processes, physical and electronic, regardless of whether
they involve people and technology or relationships with
trading partners, customers and third parties.
• Infosec is concerned with all aspects of information and its
protection at all points of its life cycle within the
organization.
 22 of 84

2.4.4 Information Security

Governance (continued)

Effective information security can add significant

value to an organization by:
• Providing greater reliance on interactions with
trading partners
• Improving trust in customer relationships
• Protecting the organization’s reputation
• Enabling new and better ways to process
electronic transactions
 23 of 84

2.4.4 Information Security

Governance (continued)

Outcomes of security governance

• Strategic alignment—align with business strategy
• Risk management—manage and execute appropriate
measures to mitigate risks
• Value delivery—optimize security investments
• Performance measurement – measure, monitor and report on
information security processes
• Resource management—utilize information security knowledge
and infrastructure efficiently and effectively
• Process integration – integration of management assurance
processes for security
 24 of 84

2.4.4 Information Security

Governance (continued)
Effective information security governance
• To achieve effective information security governance,
management must establish and maintain a framework
to guide the development and management of a
comprehensive information security program that
supports business objectives
• This framework provides the basis for the development
of a cost-effective information security program that
supports the organization’s business goals.
 25 of 84

2.4.4 Information Security

Governance (continued)

Information security governance requires strategic

direction and impetus from:
• Boards of directors / senior management
• Executive management
• Steering committees
• Chief information security officers
 26 of 84

2.4.5 Enterprise Architecture

• Involves documenting an organization’s IT assets in a

structured manner to facilitate understanding,
management and planning for IT investments
• Often involves both a current state and optimized future
state representation
 27 of 84

2.4.5 Enterprise
Architecture (continued)

The Basic Zachman Framework

Data Functional Network People Process Strategy

Scope
Enterprise Model

Systems Model

Technology Model

Detailed
Representation
 28 of 84

2.4.5 Enterprise
Architecture (continued)

The Federal Enterprise Architecture (FEA)

hierarchy:
• Performance
• Business
• Service component
• Technical
• Data
 29 of 84

2.5.1 Strategic Planning

• From an IS standpoint, strategic planning relates to

the long-term direction an organization wants to take
in leveraging information technology for improving its
business processes
• Effective IT strategic planning involves a consideration
of the organization’s demand for IT and its IT supply
capacity
 30 of 84

2.5.1 Strategic Planning

(continued)

• The IS auditor should pay attention to the importance

of IT strategic planning
• Focus on the importance of a strategic planning
process or planning framework
• Consider how the CIO or senior IT management are
involved in the creation of the overall business
strategy
 31 of 84

Practice Question

2-2 Which of the following would be included

in an IS strategic plan?
A. Specifications for planned hardware
purchases
B. Analysis of future business objectives
C. Target dates for development projects
D. Annual budgetary targets for the IS
department
 32 of 84

Practice Question

2-3 Which of the following BEST describes an IT department’s

strategic planning process?
A. The IT department will have either short-range or long-range plans
depending on the organization’s broader plans and objectives.
B. The IT department’s strategic plan must be time- and project-oriented, but
not so detailed as to address and help determine priorities to meet business
needs.
C. Long-range planning for the IT department should recognize organizational
goals, technological advances and regulatory requirements.
D. Short-range planning for the IT department does not need to be integrated
into the short-range plans of the organization since technological advances
will drive the IT department plans much quicker than organizational plans.
 33 of 84

2.5.2 Steering Committee

• An organization’s senior management should appoint a

planning or steering committee to oversee the IS
function and its activities
• A high-level steering committee for information
technology is an important factor in ensuring that the IS
department is in harmony with the corporate mission and
objectives
 34 of 84

2.6 Maturity and Process

Improvement Models

• IDEAL model
• Capability Maturity Model Integration (CMMI)
• Team Software Process (TSP)
• Personal Software Process (PSP)
 35 of 84

2.7 IT Investment and

Allocation Practices

• Financial benefits – impact on budget and finances

• Nonfinancial benefits – impact on operations or
mission performance and results
 36 of 84

2.8 Policies and Procedures

Reflect management guidance and direction in developing

controls over:
• Information systems
• Related resources
• IS department processes
 37 of 84

2.8.1 Policies

• High level documents

• Must be clear and concise
• Set tone for organization as a whole (top down)
• Lower-level policies – defined by individual divisions and
departments
 38 of 84

2.8.1 Policies (continued)

Information Security Policy

• Defines information security, overall objectives and scope
• Is a statement of management intent
• Is a framework for setting control objectives including risk
management
• Defines responsibilities for information security management

Acceptable Use Policy

 39 of 84

2.8.2 Procedures

Procedures are detailed documents that:

• Define and document implementation policies
• Must be derived from the parent policy
• Must implement the spirit (intent) of the policy
statement
• Must be written in a clear and concise manner
 40 of 84

2.9 Risk Management

The process of identifying vulnerabilities and threats to

the information resources used by an organization in
achieving business objectives.
• Avoid
• Mitigate
• Transfer
• Accept
 41 of 84

2.9.1 Developing a Risk

Management Program

To develop a risk management program:

• Establish the purpose of the risk management program
• Assign responsibility for the risk management plan
 42 of 84

2.9.2 Risk Management

Process

• Identification and classification of information

resources or assets that need protection
• Assess threats and vulnerabilities and the likelihood
of their occurrence
• Once the elements of risk have been established
they are combined to form an overall view of risk
 43 of 84

2.9.2 Risk Management

Process (continued)

• Evaluate existing controls or design new controls to

reduce the vulnerabilities to an acceptable level of
risk
• Residual risk
 44 of 84

2.9.2 Risk Management

Process (continued)

IT risk management needs to operate at

multiple levels including:
• Operational—Risks that could compromise the
effectiveness of IT systems and supporting
infrastructure
• Project—Risk management needs to focus on the
ability to understand and manage project complexity
• Strategic—The risk focus shifts to considerations such
as how well the IT capability is aligned with the
business strategy
 45 of 84

2.9.3 Risk Analysis Methods

• Qualitative
• Semiquantitative
• Quantitative
– Probability and expectancy
– Annual loss expectancy method
 46 of 84

2.9.3 Risk Analysis

Methods (continued)

Management and IS auditors should keep in

mind certain considerations:
• Risk management should be applied to IT functions throughout the
company
• Senior management responsibility
• Quantitative RM is preferred over qualitative approaches
• Quantitative RM always faces the challenge of estimating risks
• Quantitative RM provides more objective assumptions
• The real complexity or the apparent sophistication of the methods or
packages used should not be a substitute for commonsense or
professional diligence
• Special care should be given to very high impact events, even if the
probability of occurrence over time is very low.
 47 of 84

2.10.1 Human Resource

Management

• Hiring
• Employee handbook
• Promotion policies
• Training
• Scheduling and time reporting
• Employee performance evaluations
• Required vacations
• Termination policies
 48 of 84

2.10.2 Sourcing Practices

• Sourcing practices relate to the way an organization

obtains the IS function required to support the
business
• Organizations can perform all IS functions in-house
or outsource all functions across the globe
• Sourcing strategy should consider each IS function
and determine which approach allows the IS
function to meet the organization’s goals
 49 of 84

2.10.2 Sourcing Practices

(continued)

Outsourcing practices and strategies

• Contractual agreements under which an organization
hands over control of part or all of the functions of the
IS department to an external party
• Becoming increasingly important in many organizations
• The IS auditor must be aware of the various forms
outsourcing can take as well as the associated risks
 50 of 84

2.10.2 Sourcing Practices

(continued)

Possible advantages:
• Commercial outsourcing companies likely to devote more
time and focus more efficiently on a given project than in-
house staff
• Outsourcing vendors likely to have more experience with
a wider array of problems, issues and techniques

Possible disadvantages:
• Costs exceeding customer expectations
• Loss of internal IS experience
• Loss of control over IS
• Vendor failure
 51 of 84

2.10.2 Sourcing Practices

(continued)

Risks can be reduced by:

• Establishing measurable, partnership-enacted shared goals and
rewards
• Using multiple suppliers or withholding a piece of business as an
incentive
• Performing periodic competitive reviews and benchmarking/bench
trending
• Implementing short-term contracts
• Forming a cross-functional contract management team
• Including contractual provisions to consider as many
contingencies as can reasonably be foreseen
 52 of 84

2.10.2 Sourcing Practices

(continued)

Globalization practices and strategies

• Requires management to actively oversee the remote or offshore
locations
• The IS auditor can assist an organization in moving IS functions
offsite or offshore by ensuring that IS management considers the
following:
– Legal, regulatory and tax issues
– Continuity of operations
– Personnel
– Telecommunication issues
– Cross-border and cross-cultural issues
 53 of 84

2.10.2 Sourcing Practices

(continued)

Governance in outsourcing
• Mechanism that allows organizations to transfer the
delivery of services to third parties
• Accountability remains with the management of the
client organization
• Transparency and ownership of the decision-
making process must reside within the purview of
the client
 54 of 84

2.10.2 Sourcing Practices

(continued)

Third-party service delivery management

• Every organization using the services of third parties
should have a service delivery management system
in place to implement and maintain the appropriate
level of information security and service delivery in
line with third-party service delivery agreements
• The organization should check the implementation
of agreements, monitor compliance with the
agreements and manage changes to ensure that
the services delivered meet all requirements agreed
to with the third party.
 55 of 84

2.10.3 Organizational
Change Management

What is change management?

• Managing IT changes for the organization
– Identify and apply technology improvements at
the infrastructure and application level
 56 of 84

2.10.4 Financial Management

Practices

• User-pays scheme – chargeback

• IS budgets
 57 of 84

2.10.5 Quality Management

• Software development, maintenance and implementation

• Acquisition of hardware and software
• Day-to-day operations
• Service management
• Security
• Human resource management
• General administration
 58 of 84

Practice Question

2-4 The MOST important responsibility of a

data security officer in an organization is:
A. recommending and monitoring data
security policies.
B. promoting security awareness within
the organization.
C. establishing procedures for IT
security policies.
D. administering physical and logical
access controls.
 59 of 84

Practice Question

2-5 Which of the following is MOST likely to

be performed by the security administrator?
A. Approving the security policy
B. Testing application software
C. Ensuring data integrity
D. Maintaining access rules
 60 of 84

2.10.7 Performance
Optimization

• Process driven by performance indicators

• Optimization refers to the process of improving the
productivity of information systems to the highest
level possible without unnecessary, additional
investment in the IT infrastructure
 61 of 84

2.10.7 Performance
Optimization (continued)

Five ways to use performance measures:

• Measure products/services
• Manage products/services
• Assure accountability
• Make budget decisions
• Optimize performance
 62 of 84

Practice Question

2-6 An IS auditor should ensure that IT

governance performance measures:
A. evaluate the activities of IT oversight
committees.
B. provide strategic IT drivers.
C. adhere to regulatory reporting
standards and definitions.
D. evaluate the IT department.
 63 of 84
2.10 IS Organizational
Structure and
Responsibilities
 64 of 84

2.11.1 IS Roles and

Responsibilities

• Systems development manager

• Service Desk (help desk)
• End user
• End user support manager
 65 of 84

2.11.1 IS Roles and

Responsibilities (continued)

• Data management
• Quality assurance manager
• Vendor and outsourcer management
• Operations manager
 66 of 84

2.11.1 IS Roles and

Responsibilities (continued)

• Control group
• Media management
• Data entry
• Systems administration
 67 of 84

2.11.1 IS Roles and

Responsibilities (continued)

• Security administration
• Quality assurance
• Database administration
 68 of 84

2.11.1 IS Roles and

Responsibilities (continued)

• Systems analyst
• Security architect
• Applications development and maintenance
• Infrastructure development and maintenance
• Network management
 69 of 84

2.11.2 Segregation of
Duties Within IS

• Avoids possibility of errors or misappropriations

• Discourages fraudulent acts
• Limits access to data
 70 of 84

2.11.2 Segregation of Duties

Within IS (continued)
 71 of 84

Practice Question

2-7 Which of the following tasks may be

performed by the same person in a well-
controlled information processing computer
center?
A. Security administration and change
management
B. Computer operations and system
development
C. System development and change
management
D. System development and systems
maintenance
 72 of 84

Practice Question

2-8 Which of the following is the MOST

critical control over database
administration?
A. Approval of DBA activities
B. Segregation of duties
C. Review of access logs and activities
D. Review of the use of database tools
 73 of 84

2.11.3 Segregation of Duties

Controls

Control measures to enforce segregation of duties

include:
• Transaction authorization
• Custody of assets
• Access to data
– Authorization forms
– User authorization tables
 74 of 84

2.11.3 Segregation of Duties

Controls (continued)

Compensating controls for lack of segregation

of duties include:
• Audit trails
• Reconciliation
• Exception reporting
• Transaction logs
• Supervisory reviews
• Independent reviews
 75 of 84

Practice Question

2-9 When a complete segregation of duties

cannot be achieved in an online system
environment, which of the following
functions should be separated from the
others?
A. Origination
B. Authorization
C. Recording
D. Correction
 76 of 84

Practice Question

2-10 In a small organization, where segregation of

duties is not practical, an employee performs the
function of computer operator and application
programmer. Which of the following controls
should an IS auditor recommend?
A. Automated logging of changes to
development libraries
B. Additional staff to provide segregation of
duties
C. Procedures that verify that only approved
program changes are implemented
D. Access controls to prevent the operator
from making program modifications
 77 of 84

2.12 Auditing IT Governance

Structure and Implementation

Indicators of potential problems include:

• Unfavorable end-user attitudes
• Excessive costs
• Budget overruns
• Late projects
• High staff turnover
• Inexperienced staff
• Frequent hardware/software errors
 78 of 84

2.12.1 Reviewing
Documentation
The following documents should be reviewed:
• IT strategies, plans and budgets
• Security policy documentation
• Organization/functional charts
• Job descriptions
• Steering committee reports
• System development and program change procedures
• Operations procedures
• Human resource manuals
• Quality assurance procedures
 79 of 84

2.11.2 Reviewing Contractual

Commitments

There are various phases to computer hardware,

software and IS service contracts, including:
• Development of contract requirements and service levels
• Contract bidding process
• Contract selection process
• Contract acceptance
• Contract maintenance
• Contract compliance
 80 of 84

Case Study A Scenario

An IS auditor has been asked to review the draft of an

outsourcing contract and SLA and recommend any changes
or point out any concerns prior to these being submitted to
senior management for final approval. The agreement
includes outsourcing support of Windows and UNIX server
administration and network management to a third party.

Servers will be relocated to the outsourcer’s facility that is

located in another country, and connectivity will be
established using the Internet. Operating system software
will be upgraded on a semiannual basis, but it will not be
escrowed. All requests for addition or deletion of user
accounts will be processed within three business days.
 81 of 84

Case Study A Scenario

(continued)

Intrusion detection software will be continuously monitored

by the outsourcer and the customer notified by e-mail if any
anomalies are detected. New employees hired within the
last three years were subject to background checks. Prior
to that, there was no policy in place.

A right to audit clause is in place, but 24-hour notice is

required prior to an onsite visit. If the outsourcer is found to
be in violation of any of the terms or conditions of the
contract, it will have 10 business days to correct the
deficiency. The outsourcer does not have an IS auditor, but
it is audited by a regional public accounting firm.
 82 of 84

Case Study A Question

1. Which of the following should be of MOST

concern to the IS auditor?
A. User account changes are processed within three business
days.
B. Twenty-four hour notice is required prior to an onsite visit.
C. The outsourcer does not have an IS audit function.
D. Software escrow is not included in the contract.
 83 of 84

Case Study A Question

2. Which of the following would be the MOST significant

issue to address if the servers contain personally
identifiable customer information that is regularly
accessed and updated by end users?
A. The country in which the outsourcer is based prohibits the
use of strong encryption for transmitted data.
B. The outsourcer limits its liability if it took reasonable steps to
protect the customer data.
C. The outsourcer did not perform background checks for
employees hired over three years ago.
D. System software is only upgraded once every six months.
 84 of 84

Conclusion

• Chapter 2 Quick Reference Review

– Page 84 of CISA Review Manual 2010
• Additional Case Studies
– Case Study B – page 118 of CISA Review Manual
2010
– Case Study C – page 118 of CISA Review Manual
2010
– Case Study D – page 119 of CISA Review Manual
2010