SlideShare une entreprise Scribd logo

CISA Training - Chapter 2 - 2016

Hafiz Sheikh Adnan Ahmed
Hafiz Sheikh Adnan Ahmed

This document provides an overview of topics covered in a CISA review course, including IT governance, corporate governance, governance of enterprise IT, risk management, information security management practices, auditing IT governance structure and implementation, and business continuity planning. The document defines key concepts, best practices, standards, and approaches for each topic. It also outlines the roles and responsibilities of various committees, policies, procedures, and other elements involved in effectively governing enterprise IT.

Technologie
1  sur  87
2016 CISA ® Review Course Hafiz Sheikh Adnan Ahmed – CISA, COBIT 5, ISO 27001 LA [PECB Certified Trainer]
Quick Reference Review • IT Governance • Governance of Enterprise IT • Roles and Responsibilities of IT Steering Committee • Governance of Information Security • Risk Management • Management Processes • Segregation of duties • Business Continuity & Disaster Recovery
2.2. Corporate Governance • A system by which business operations are directed and controlled • A set of responsibilities and practices used by an organization’s management to provide strategic direction, ensuring that goals are achievable, risks are properly addressed and organizational resources are properly utilized • A set of relationships between a company’s management, its board, its shareholders and other stakeholders • Provides a structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined
2.3. Governance of Enterprise IT (GEIT) • GEIT implies a system in which all stakeholders provide input into a decision- making process • GEIT is the responsibility of board of directors and executive management • Purpose is to direct IT endeavors to ensure that IT performance meets the objectives of aligning IT with the enterprise’s objectives & the realization of promised benefits • A key element of GEIT is the alignment of business & IT
2.3.1 Best practices for GEIT • COBIT 5: • A framework developed by ISACA to ensure that: IT is aligned with the business, IT enables the business and maximizes benefits, IT resources are used responsibly, & IT risks are appropriately managed. • Provides tools to assess and measure performance of 37 processes • ISO/IEC 27001: • Provide guidance in implementing & maintaining information security programs • ITIL: • Deals with operational service management of IT
• IT Baseline Protection Catalogs: • Documents for detecting and combating security weak points in IT environment. Over 3000 pages • Information Security Management Maturity Model (ISM3): • Process model for security. • AS8015-2005: • Australian standard for corporate governance of information & communication technology • Later adopted as ISO/IEC 38500 • ISO/IEC 20000: • Specification for IT Service Management, aligned with ITIL
Audit Role in GEIT • Provide recommendations to senior management to help improve the quality & effectiveness of the IT governance initiatives implemented • Helps ensure compliance with GEIT initiatives • Assess Enterprise Governance & GEIT are aligned • Ensure alignment of IS function with organization’s mission, vision, values, objectives and strategies • Ensure Legal, regulatory, environmental, security and privacy requirements • The inherent risks within the IS environment
2.3.2 IT Governing Committees
2.3.3 IT Balanced Scorecard (BSC) • A process management evaluation technique in assessing IT functions & processes • Measures customer satisfaction, internal processes and the ability to innovate • A three-layered structure in addressing 4 perspectives: • Mission • Strategies • Measures • Sources • Most effective method to aid the IT strategy committee and management in achieving IT governance through proper IT & business alignment
2.3.4 Information Security Governance • IS Governance part of IT Governance • Consists of: • CIA of Information • Continuity of services • Protection of information assets • Responsibility of Board of Directors and executive management • Outcomes include: • Strategic Alignment • Risk management compliance • Value delivery
Effective IS Governance • IS Governance is a subset of corporate governance that provides strategic direction for security activities and ensures that objectives are achieved • Ensure IS risks are managed and enterprise resources are used responsibly • To achieve effective IS governance, management to establish and maintain a framework to guide the development & management of a comprehensive IS program that supports business objectives • The framework includes, but is not limited to: • A comprehensive security strategy linked with corporate strategy and business objectives • Policies, procedures and guidelines • An effective organizational security structure • Monitoring processes to ensure compliance
2.3.5 Enterprise Architecture (EA) • EA involves documenting and organization’s IT assets in a structured manner to facilitate understanding, management and planning for IT investments • Involves both a current state and an optimized future state representation • The framework for EA, introduced by John Zachman
2.4.1 Strategic Planning • Long term direction an enterprise wants to take in leveraging IT for improving its business processes • Generally three to five years plan • IS Steering Committee and Strategy Committee play a key role in in development & implementation of plans • IS auditor to pay full attention to the importance of IT strategic planning • IS auditor must focus on the importance of strategic planning process • IT strategic plans be synchronized with overall business strategy
2.4.2 Steering Committee • Oversee the IS functions and activities • Committee includes representatives of Senior Management, business, departments, & IT • Duties and responsibilities defined in a formal charter • Not usually involved in operational activities • Review long and short term plans of IS department to ensure they are aligned with corporate objectives • Approve and monitor major projects • Review and approve major acquisitions • Review adequacy of resources
2.5. Maturity & Process Improvement Models • Various models such as CMMI, IDEAL, COBIT • COBIT PAM: • A reference document for conducting capability assessments • Aligned with ISO/IEC 15504-2 • Uses process capability and process performance indicators to determine process attributes • IDEAL: • Initiate, Diagnose, Establish, Act, Learn • A process improvement program
2.6. IT Investment & Allocation Practices • IT’s value determined by the relationship between the costs and benefits • The larger the benefit in relation to cost, the greater the value of IT project • Implementation methods include: • Risk profile analysis • Diversification of projects • Infrastructure and technologies • Continuous alignment with business goals • Continuous improvement
2.7.1 Policies • High-level documents that represent the corporate philosophy of the organization • Must be clear and concise • Divisions and departments may define their low-level policies • Management to review policies periodically • IS auditors to consider policies as part of the audit scope • Ensure policies of the third parties or outsourcers are not in conflict with enterprise’s policies
Information Security Policy • Security policy is the first step towards building the security infrastructure • The cost of control should NOT exceed the expected benefit to be derived • Must be approved by senior management • The ISO/IEC 27001 standard may be considered as a benchmark for the content covered by IS policy • Definition of information security, objectives, scope, importance to the organization • Alignment of Information security with business objectives and goals • Brief explanation of policies and procedures and compliance requirements • Roles and responsibilities of the personnel involved • References to documentation which may support the policy
• IS policy to be communicated throughout the organization • Must be accessible and understandable to the intended user • Organizations may document IS policies as a set of policies. For example: • High-level Information Security Policy • Data Classification Policy • Acceptable Use Policy • End-User Computing Policy • Access Control Policy
Acceptable Use Policy (AUP) • Defines a set of guidelines how to use information system resources • Explains acceptable computer use • Must be clear and concise • Clearly defines what sanctions will be applied if the user fails to comply with the AUP • Compliance to be measured by regular audits • Most common part of AUP is Acceptable Internet Usage Policy
Review of Information Security Policy • Should be reviewed at planned intervals to ensure suitability, adequacy and effectiveness • Review should include assessing opportunities for improvement to the organization’s IS policy • To be reviewed by management while considering the feedback and inputs from: • Stakeholders • Interested parties • Previous results of management reviews • Trends related to threats and vulnerabilities • Reported information security incidents • Recommendations from relevant authorities
2.7.2 Procedures • Documented, defined steps for achieving policy objectives • Must be derived from the parent policy • Must be written in clear and concise manner and must be easily understood • Document business processes and embedded controls • More dynamic than respective parent policies
2.8. Risk Management • A process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives and deciding what countermeasures to take in reducing risk to an acceptable level (i.e. residual risk), based on the value of the information resource to the organization • Begins with the clear understanding of the organization’s appetite for risk • RM includes identifying, analyzing, evaluating, treating, monitoring and communicating the impact of risk on IT processes
• Risk treatment includes:
2.8.1 Developing a Risk Management Program • Establish the purpose: • Determine the purpose for creating the risk management program • Define KPIs to determine the effectiveness • Senior management, BODs, set the tone and goals for the Risk Management Program • Assign responsibility for the RM plan: • Designate a team or an individual responsible for developing and implementing the risk management program • Integrate Risk Management within all levels of the organization
2.8.2 Risk Management Process • The key management practices include: • Collect data • Analyze risk • Maintain a risk profile • Articulate risk • Define a risk management action portfolio • Respond to risk
• Threats: Any circumstance or event with the potential to cause harm to an information resource • Errors, Malicious Damage, Fraud, Theft, Software Failure etc. • Vulnerability: Characteristics of information resources that can be exploited by a threat or a harm • Lack of user knowledge, Lack of security functionality, Untrusted technology etc. • Impact: The result of a threat agent exploiting a vulnerability • Direct loss of money, Breach of Legislation, Loss of Reputation etc. • Risk: Probability of Occurrence * Magnitude of Impact • Risk is proportional to estimated likelihood of the threat and the value of loss/damage
2.8.3 Risk Analysis Methods • Qualitative Analysis: • Use word or descriptive rankings to describe impact or likelihood • Simplest and most frequently used method • Based on checklists and subjective risk ratings like High, Medium, Low • Semi quantitative Analysis: • Rankings are associated with numeric scale • Normally used when it is not possible to utilize a quantitative method or to reduce subjectivity in qualitative methods • E.g. “High” may be given “5”; “Medium” may be given “3”; “Low” may be given “1” • Quantitative Analysis: • Use numeric values to describe impact or likelihood • Usually performed during BIA
2.9. Information Systems Management Practices • Reflect the implementation of policies and procedures developed for various IS-related management activities • Management activities to review the policy/procedure formulations and their effectiveness within the IS department
2.9.1 Human Resource Management • HR management relates to organizational policies and procedures for: • Recruiting • Selecting • Training • Promoting staff • Measuring staff performance, disciplining staff, success planning, and staff retention • Termination
2.9.2 Sourcing Practices • Sourcing practices relate to the way in which the organization obtain the IS functions required to support the business • This may include: • Insourced – Fully performed by organization’s staff • Outsourced – Fully performed by the vendor’s staff • Hybrid – Performed by a mix of organization’s and vendor’s staff • IS functions can be performed across the globe: • Onsite – Staff work onsite in the IS department • Offsite – Also known as near-shore, staff work at a remote location in the same geographic location • Offshore – Staff work in remote location in a different geographic location
• Reasons for Outsourcing: • A desire to focus on core activities • Pressure on profit margins • Increasing competition that demands cost savings • Flexibility with respect to both organizations and structure • Enterprise to consider outsourcing provisions in the contracts including security clauses
Industry Standards / Benchmarking / Global Practices • Organizations to adhere to a well-defined set of standards • Legal, regulatory and tax issues • Cross-Border and Cross-Cultural issues • Telecommunication issues
Governance in Outsourcing • Governance of outsourcing is the set of Roles and Responsibilities, objectives, interfaces, and controls required to anticipate change
Service Delivery • Service delivery by a third party includes agreed on security agreements, service definitions, and aspects of service management • Ensure agreed on service continuity levels are maintained following major service failures or disaster
Monitoring & Review ofThird-Party Services • Monitor the services provided by third party • Audits to be carried out regularly • Ensure information security terms and conditions of the agreements are being adhered to and managed properly
Cloud Governance • Organization to maintain sufficient control and visibility into all security aspects for sensitive or critical information • Ensure to retain visibility in security activities such as change management, identification of vulnerabilities and information security incident reporting
Managing Changes toThird-Party Services
Service Improvement & User Satisfaction • Organizations to set service improvement expectations into the contracts with associated penalties and rewards • Service improvements to be agreed on by users and IT with the goals of improving user satisfaction and attaining business objectives • Service improvements to be monitored by interviewing and surveying users
2.9.3 Organizational Change Management • Use a defined and documented process to identify and apply technology improvements at the infrastructure and application level that are beneficial to the organization • IS department is the focal point for such changes
2.9.4 Financial Management Practices • IS Budgets: • Allows forecasting, monitoring and analyzing financial information • Should be linked to short-and-long term IT plans • Software Development: • Accounting standards require to have a detailed understanding of development efforts
2.9.5 Quality Management • One of the means by which IT department-based processes are controlled, measured and improved • Areas of control for quality management may include: • Software development, maintenance and implementation • Acquisition of hardware and software • Day-to-day operations • Service management • Security • HR • Various standards to assist IS organizations in achieving quality • Most prominent is ISO 9001:2008, Quality Management Systems
2.9.6 Information Security Management • Includes BIA, BCP & DRP • Major component is risk management
2.9.7 Performance Optimization • A process of improving information system productivity to the highest level possible without necessary, additional investment in the IT infrastructure • Critical Success Factors (CSF): • Used to create and facilitate action to improve performance and GEIT • Methodologies and Tools: • Various improvement and optimization tools available. E.g. ITIL, COBIT, PDCA, Six Sigma etc.
2.10. IS Organizational Structure & Responsibilities
2.10.1 IS Roles and Responsibilities • Organizational charts provide a clear definition of department’s hierarchy and authorities • JDs, RACI charts, workflow diagrams provide IS department employees a more complete and clear direction regarding their R&R • IS auditor to observe and determine whether formal JDs and structures coincide with real ones and are adequate
2.10.2 Segregation of duties within IS • Actual job titles and organizational structures vary greatly • IS auditor to understand and determine the JDs, responsibilities and authorities, and assess the adequacy of segregation of duties • Duties to be segregated include, but is not limited to: • Custody of assets • Authorization • Recording transactions • When duties are segregated, access to computer, production, data library, production programs etc. are limited, and potential damage from the actions of one person is reduced • IS auditor to understand the risk of combining functions
2.10.3 Segregation of duties controls • Transaction Authorization: • Responsibility of the user department • Periodic checks to be performed to detect unauthorized entry of transactions • Custody of Assets: • Data owner is usually assigned • Access to data: • Controls include a combination of physical, logical, system, application security • Authorization forms: • Define the access rights of each individual • Access privileges to be reviewed periodically to ensure they are current and match user’s job functions
Compensating Controls for lack of Segregation of duties • Compensating control measures must exist to mitigate the risk resulting from lack of segregation of duties • Audit Trails: • Provide a map to retrace the flow of transaction • Reconciliation • Exception Reporting • Transaction logs • Supervisory reviews • Independent reviews
2.11. Auditing IT Governance Structure and Implementation • Problems IS auditors may face when auditing IS function: • Excessive Costs • Late Projects • Inexperienced staff • Lack of adequate training • Poor motivation • Unfavorable end-user attitudes
2.11.1 Reviewing Documentation • Documents to be reviewed include: • IT Strategies, plans and budgets • Security policy documentation • Organizational/functional charts • Job descriptions • Steering Committee reports • System development and program change procedures • Operations procedures • HR manuals
2.11.2 Reviewing Contractual Commitments • In reviewing a sample of contracts, IS auditor to evaluate the following: • Service levels • Right to audit or third party audit reporting • Software escrow • Penalties for non-compliance • Contract change process • Contract termination and associated penalties • Protection of customer information
2.12. Business Continuity Planning • Purpose of BC/DR is to enable a business to continue offering critical services in the event of a disruption and to survive disastrous disruption to activities • First step is to identify the business processes of strategic and critical importance • Risk Assessment is conducted • Business Impact Analysis (BIA) is performed • Determine the maximum downtime possible for a particular application and how much data could be lost • BC/DR planning to address various aspects of business continuity and disaster recovery • One ore more plans to support the integrated BC/DR strategy
2.12.1 IS Business Continuity Planning • IS BCP to be aligned with corporate BCP and support the overall strategy • Periodically test BCP plan to ensure it is relevant and up to date
2.12.2 Disasters & Other Disruptive Events • Disasters are disruptions that cause critical information resources to be inoperative for a period of time, adversely impacting organizational operations • Could be few minutes to several months • Reasons include: • Natural calamities • Expected services e.g. power failure, natural gas supply, telecommunications • Human errors e.g. viruses, hacker attacks
Dealing with Damage to Image, Reputation or Brand • Rumors or negative public opinion can be costly • Organization’s PR to play an important role in maintaining and improving the image, reputation of the company • Unanticipated/Unforeseeable Events • Unforeseeable (black swan) events are those that are a surprise to the observer e.g. Storm in Abu Dhabi
2.12.3 Business Continuity Planning Process
2.12.4 Business Continuity Policy • Defines the scope and extent of the business continuity effort • Should be proactive • All possible controls to detect and prevent disruptions should be used • Preventive and detective controls to reduce the likelihood of a disruption and corrective actions to mitigate the consequences
2.12.5 BCP Incident Management
2.12.6 Business Impact Analysis (BIA) • BIA to evaluate critical processes and to determine time frames, priorities, resources and interdependencies • To perform BIA, one should obtain an understanding of the organization, key business processes • Requires a high level of senior management support and extensive involvement of IT and end-user personnel • Different approaches to perform BIA • Questionnaire approach • Interviews • Group discussion and brainstorming
• Two important factors: • RTO (Recovery Time Objective) • RPO (Recovery Point Objective)
2.12.7 Development of Business Continuity Plans • Based on BIA and Risk Assessment, detailed BCP/DRP is developed • Various factors to consider while developing/reviewing a plan: • Evacuation procedures • Incident response plan • Procedures for declaring a disaster • Roles and Responsibilities • Step-by-step explanation of the recovery process • Copies of the plan to be maintained offsite
2.12.8 Other issues in Plan Development • Management and user involvement is vital to the success of the execution of the BCP • Three major divisions that require involvement in the formulation of BCP: • Support services • Business operations • Information processing support
2.12.9 Components of a BC Plan
2.12.10 PlanTesting • Schedule BC tests at a time that will minimize disruptions to normal operations • Address all critical components and simulate actual primetime processing conditions • It must accomplish the following tasks: • Verify the completeness and precision of BCP • Evaluate the performance of the personnel involved • Evaluate the coordination among the team, external vendors and suppliers • Measure the overall performance of operational and IS processing activities related to maintaining the business entity
• Test Execution phases: • Pretest • Test • Posttest • Business Continuity Management Best Practices: • ISACA – COBIT • BCI – Business Continuity Institute • DRII – Disaster Recovery Institute International
2.13. Auditing Business Continuity • Auditor’s tasks include: • Understanding & evaluating BC strategy and its connection to business objectives • Reviewing the BIA findings to ensure that they reflect current business priorities and current controls • Evaluating RTO, RPO • Evaluating offsite storage to ensure its adequacy • Evaluating the ability of personnel to respond effectively in emergency situations
2.13.1 Reviewing the Business Continuity Plan • Review the documents • Review the application(s) covered by the plan • Review the business continuity team(s) • Plan testing
2.13.2 Evaluation of PriorTest Results • BCP coordinator should maintain historical documentation of the results of prior BC tests • IS auditor to review the results and determine whether corrective actions have been incorporated into the plan • Review to determine whether appropriate results were achieved
2.13.3 Evaluation of Offsite Storage • Evaluate to ensure presence, synchronization and currency of critical media and documentation • Includes files, application software, systems software, backup media tapes, necessary supplies etc. • Perform a detailed inventory review
2.13.4 Interviewing key personnel • IS auditor to interview key personnel required for the successful recovery of business operations • To review and verify all key personnel have an understanding of their assigned responsibilities as well as up-to-date detailed documentation describing their tasks
2.13.5 Evaluation of security at Offsite Facility • Evaluate to ensure that it has physical and environmental access controls • Evaluate the security requirements of media transportation
2.13.6 Reviewing Alternative Processing Contract
2.13.7 Reviewing Insurance Coverage • Coverage for media damage, business interruption, equipment replacement and business continuity processing should be reviewed for adequacy
Self-Assessment Questions 1. Which of the following would be included in an IS strategic plan? a) Specifications for planned hardware purchases b) Analysis of future business objectives c) Target dates for development projects d) Annual budgetary targets for the IS department
Self-Assessment Questions 2. What is considered the MOST critical element for the successful implementation of an IS program? a) An effective ERM framework b) Senior management commitment c) An adequate budgeting process d) Meticulous program planning
Self-Assessment Questions 3. An IS auditor should ensure that IT governance performance measures: a) Evaluate the activities of IT oversight committees b) Provide strategic IT drivers c) Adhere to regulatory reporting standards and definitions d) Evaluate the IT department
Answers 1. (b) Analysis of future business objectives 2. (b) Senior management commitment 3. (a) Evaluate the activities of IT oversight committees
CISA Training - Chapter 2 - 2016

Recommandé

CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016Hafiz Sheikh Adnan Ahmed
 
CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016Hafiz Sheikh Adnan Ahmed
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016Hafiz Sheikh Adnan Ahmed
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITShivamSharma909
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 
CISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and ImplementationCISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and ImplementationInfosecTrain
 
Chap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseChap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseDesmond Devendran
 
CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)Cyril Soeri
 

Recommandé

CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016Hafiz Sheikh Adnan Ahmed
 
CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016Hafiz Sheikh Adnan Ahmed
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016Hafiz Sheikh Adnan Ahmed
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITShivamSharma909
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 
CISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and ImplementationCISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and ImplementationInfosecTrain
 
Chap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseChap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseDesmond Devendran
 
CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)Cyril Soeri
 
CISA Training - Chapter 4 - 2016
CISA Training - Chapter 4 - 2016CISA Training - Chapter 4 - 2016
CISA Training - Chapter 4 - 2016Hafiz Sheikh Adnan Ahmed
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainInfosecTrain
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 
Cisa domain 1
Cisa domain 1 Cisa domain 1
Cisa domain 1 Ismail aboulezz
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...Hernan Huwyler, MBA CPA
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness TrainingDr Madhu Aman Sharma
 
Cisa domain 3
Cisa domain 3Cisa domain 3
Cisa domain 3ShivamSharma909
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentationPranay Kumar
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3Tanmay Shinde
 
CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course PreviewInvensis Learning
 
5.4 it security audit (mauritius)
5.4 it security audit (mauritius)5.4 it security audit (mauritius)
5.4 it security audit (mauritius)Corporate Registers Forum
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...himalya sharma
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
7 Key Problems to Avoid in ISO 27001 Implementation
7 Key Problems to Avoid in ISO 27001 Implementation7 Key Problems to Avoid in ISO 27001 Implementation
7 Key Problems to Avoid in ISO 27001 ImplementationPECB
 
ISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust FrameworkISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust FrameworkMaganathin Veeraragaloo
 
Ch2 2009 cisa
Ch2 2009 cisaCh2 2009 cisa
Ch2 2009 cisaasrulsani09
 
ISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxjojo82637
 

Contenu connexe

Tendances

CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainInfosecTrain
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...Hernan Huwyler, MBA CPA
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentationPranay Kumar
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3Tanmay Shinde
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...himalya sharma
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
7 Key Problems to Avoid in ISO 27001 Implementation
7 Key Problems to Avoid in ISO 27001 Implementation7 Key Problems to Avoid in ISO 27001 Implementation
7 Key Problems to Avoid in ISO 27001 ImplementationPECB
 

Tendances (20)

CISA Training - Chapter 4 - 2016
CISA Training - Chapter 4 - 2016CISA Training - Chapter 4 - 2016
CISA Training - Chapter 4 - 2016
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | Infosectrain
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
 
Cisa domain 1
Cisa domain 1 Cisa domain 1
Cisa domain 1
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
 
Cisa domain 3
Cisa domain 3Cisa domain 3
Cisa domain 3
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentation
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
 
CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course Preview
 
5.4 it security audit (mauritius)
5.4 it security audit (mauritius)5.4 it security audit (mauritius)
5.4 it security audit (mauritius)
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
 
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
7 Key Problems to Avoid in ISO 27001 Implementation
7 Key Problems to Avoid in ISO 27001 Implementation7 Key Problems to Avoid in ISO 27001 Implementation
7 Key Problems to Avoid in ISO 27001 Implementation
 
ISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust FrameworkISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust Framework
 

Similaire à CISA Training - Chapter 2 - 2016

ISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxjojo82637
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptxPrashant Singh
 
IT Governance.pptx
IT Governance.pptxIT Governance.pptx
IT Governance.pptxFaith Shimba
 
Corporate governance of INFORMATION TECHNOLOGY (IT)
Corporate governance of INFORMATION TECHNOLOGY (IT)Corporate governance of INFORMATION TECHNOLOGY (IT)
Corporate governance of INFORMATION TECHNOLOGY (IT)Osman Hasan
 
Comparison of it governance framework-COBIT, ITIL, BS7799
Comparison of it governance framework-COBIT, ITIL, BS7799Comparison of it governance framework-COBIT, ITIL, BS7799
Comparison of it governance framework-COBIT, ITIL, BS7799Meghna Verma
 
Executive's Handbook on IT Strategy and Governance
Executive's Handbook on IT Strategy and GovernanceExecutive's Handbook on IT Strategy and Governance
Executive's Handbook on IT Strategy and GovernanceKuda Musundire CA (Z), RPA
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit processDivya Tiwari
 
CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)Sam Mandebvu
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsSam Bowne
 
CISM_WK_1.pptx
CISM_WK_1.pptxCISM_WK_1.pptx
CISM_WK_1.pptxdotco
 
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500PECB
 
IntroToActiveAuditHandbookEN.pptx
IntroToActiveAuditHandbookEN.pptxIntroToActiveAuditHandbookEN.pptx
IntroToActiveAuditHandbookEN.pptxssuserbdcb221
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsSam Bowne
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
IT Governance Presentation by omaha 2008
IT Governance Presentation by omaha 2008IT Governance Presentation by omaha 2008
IT Governance Presentation by omaha 2008ssusera19f45
 

Similaire à CISA Training - Chapter 2 - 2016 (20)

Ch2 2009 cisa
Ch2 2009 cisaCh2 2009 cisa
Ch2 2009 cisa
 
ISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptx
 
standards1.pdf
standards1.pdfstandards1.pdf
standards1.pdf
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptx
 
IT Governance.pptx
IT Governance.pptxIT Governance.pptx
IT Governance.pptx
 
Corporate governance of INFORMATION TECHNOLOGY (IT)
Corporate governance of INFORMATION TECHNOLOGY (IT)Corporate governance of INFORMATION TECHNOLOGY (IT)
Corporate governance of INFORMATION TECHNOLOGY (IT)
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security Framework
 
IT Govenence.pptx
IT Govenence.pptxIT Govenence.pptx
IT Govenence.pptx
 
Comparison of it governance framework-COBIT, ITIL, BS7799
Comparison of it governance framework-COBIT, ITIL, BS7799Comparison of it governance framework-COBIT, ITIL, BS7799
Comparison of it governance framework-COBIT, ITIL, BS7799
 
Executive's Handbook on IT Strategy and Governance
Executive's Handbook on IT Strategy and GovernanceExecutive's Handbook on IT Strategy and Governance
Executive's Handbook on IT Strategy and Governance
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit process
 
Isms
IsmsIsms
Isms
 
CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security Programs
 
CISM_WK_1.pptx
CISM_WK_1.pptxCISM_WK_1.pptx
CISM_WK_1.pptx
 
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
 
IntroToActiveAuditHandbookEN.pptx
IntroToActiveAuditHandbookEN.pptxIntroToActiveAuditHandbookEN.pptx
IntroToActiveAuditHandbookEN.pptx
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security Programs
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
 
IT Governance Presentation by omaha 2008
IT Governance Presentation by omaha 2008IT Governance Presentation by omaha 2008
IT Governance Presentation by omaha 2008
 

Dernier

FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 

Dernier (20)

FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

CISA Training - Chapter 2 - 2016

  • 1. 2016 CISA ® Review Course Hafiz Sheikh Adnan Ahmed – CISA, COBIT 5, ISO 27001 LA [PECB Certified Trainer]
  • 2. Quick Reference Review • IT Governance • Governance of Enterprise IT • Roles and Responsibilities of IT Steering Committee • Governance of Information Security • Risk Management • Management Processes • Segregation of duties • Business Continuity & Disaster Recovery
  • 3. 2.2. Corporate Governance • A system by which business operations are directed and controlled • A set of responsibilities and practices used by an organization’s management to provide strategic direction, ensuring that goals are achievable, risks are properly addressed and organizational resources are properly utilized • A set of relationships between a company’s management, its board, its shareholders and other stakeholders • Provides a structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined
  • 4. 2.3. Governance of Enterprise IT (GEIT) • GEIT implies a system in which all stakeholders provide input into a decision- making process • GEIT is the responsibility of board of directors and executive management • Purpose is to direct IT endeavors to ensure that IT performance meets the objectives of aligning IT with the enterprise’s objectives & the realization of promised benefits • A key element of GEIT is the alignment of business & IT
  • 5. 2.3.1 Best practices for GEIT • COBIT 5: • A framework developed by ISACA to ensure that: IT is aligned with the business, IT enables the business and maximizes benefits, IT resources are used responsibly, & IT risks are appropriately managed. • Provides tools to assess and measure performance of 37 processes • ISO/IEC 27001: • Provide guidance in implementing & maintaining information security programs • ITIL: • Deals with operational service management of IT
  • 6. • IT Baseline Protection Catalogs: • Documents for detecting and combating security weak points in IT environment. Over 3000 pages • Information Security Management Maturity Model (ISM3): • Process model for security. • AS8015-2005: • Australian standard for corporate governance of information & communication technology • Later adopted as ISO/IEC 38500 • ISO/IEC 20000: • Specification for IT Service Management, aligned with ITIL
  • 7.
  • 8.
  • 9. Audit Role in GEIT • Provide recommendations to senior management to help improve the quality & effectiveness of the IT governance initiatives implemented • Helps ensure compliance with GEIT initiatives • Assess Enterprise Governance & GEIT are aligned • Ensure alignment of IS function with organization’s mission, vision, values, objectives and strategies • Ensure Legal, regulatory, environmental, security and privacy requirements • The inherent risks within the IS environment
  • 10. 2.3.2 IT Governing Committees
  • 11. 2.3.3 IT Balanced Scorecard (BSC) • A process management evaluation technique in assessing IT functions & processes • Measures customer satisfaction, internal processes and the ability to innovate • A three-layered structure in addressing 4 perspectives: • Mission • Strategies • Measures • Sources • Most effective method to aid the IT strategy committee and management in achieving IT governance through proper IT & business alignment
  • 12.
  • 13. 2.3.4 Information Security Governance • IS Governance part of IT Governance • Consists of: • CIA of Information • Continuity of services • Protection of information assets • Responsibility of Board of Directors and executive management • Outcomes include: • Strategic Alignment • Risk management compliance • Value delivery
  • 14. Effective IS Governance • IS Governance is a subset of corporate governance that provides strategic direction for security activities and ensures that objectives are achieved • Ensure IS risks are managed and enterprise resources are used responsibly • To achieve effective IS governance, management to establish and maintain a framework to guide the development & management of a comprehensive IS program that supports business objectives • The framework includes, but is not limited to: • A comprehensive security strategy linked with corporate strategy and business objectives • Policies, procedures and guidelines • An effective organizational security structure • Monitoring processes to ensure compliance
  • 15.
  • 16. 2.3.5 Enterprise Architecture (EA) • EA involves documenting and organization’s IT assets in a structured manner to facilitate understanding, management and planning for IT investments • Involves both a current state and an optimized future state representation • The framework for EA, introduced by John Zachman
  • 17. 2.4.1 Strategic Planning • Long term direction an enterprise wants to take in leveraging IT for improving its business processes • Generally three to five years plan • IS Steering Committee and Strategy Committee play a key role in in development & implementation of plans • IS auditor to pay full attention to the importance of IT strategic planning • IS auditor must focus on the importance of strategic planning process • IT strategic plans be synchronized with overall business strategy
  • 18. 2.4.2 Steering Committee • Oversee the IS functions and activities • Committee includes representatives of Senior Management, business, departments, & IT • Duties and responsibilities defined in a formal charter • Not usually involved in operational activities • Review long and short term plans of IS department to ensure they are aligned with corporate objectives • Approve and monitor major projects • Review and approve major acquisitions • Review adequacy of resources
  • 19. 2.5. Maturity & Process Improvement Models • Various models such as CMMI, IDEAL, COBIT • COBIT PAM: • A reference document for conducting capability assessments • Aligned with ISO/IEC 15504-2 • Uses process capability and process performance indicators to determine process attributes • IDEAL: • Initiate, Diagnose, Establish, Act, Learn • A process improvement program
  • 20. 2.6. IT Investment & Allocation Practices • IT’s value determined by the relationship between the costs and benefits • The larger the benefit in relation to cost, the greater the value of IT project • Implementation methods include: • Risk profile analysis • Diversification of projects • Infrastructure and technologies • Continuous alignment with business goals • Continuous improvement
  • 21. 2.7.1 Policies • High-level documents that represent the corporate philosophy of the organization • Must be clear and concise • Divisions and departments may define their low-level policies • Management to review policies periodically • IS auditors to consider policies as part of the audit scope • Ensure policies of the third parties or outsourcers are not in conflict with enterprise’s policies
  • 22. Information Security Policy • Security policy is the first step towards building the security infrastructure • The cost of control should NOT exceed the expected benefit to be derived • Must be approved by senior management • The ISO/IEC 27001 standard may be considered as a benchmark for the content covered by IS policy • Definition of information security, objectives, scope, importance to the organization • Alignment of Information security with business objectives and goals • Brief explanation of policies and procedures and compliance requirements • Roles and responsibilities of the personnel involved • References to documentation which may support the policy
  • 23. • IS policy to be communicated throughout the organization • Must be accessible and understandable to the intended user • Organizations may document IS policies as a set of policies. For example: • High-level Information Security Policy • Data Classification Policy • Acceptable Use Policy • End-User Computing Policy • Access Control Policy
  • 24. Acceptable Use Policy (AUP) • Defines a set of guidelines how to use information system resources • Explains acceptable computer use • Must be clear and concise • Clearly defines what sanctions will be applied if the user fails to comply with the AUP • Compliance to be measured by regular audits • Most common part of AUP is Acceptable Internet Usage Policy
  • 25. Review of Information Security Policy • Should be reviewed at planned intervals to ensure suitability, adequacy and effectiveness • Review should include assessing opportunities for improvement to the organization’s IS policy • To be reviewed by management while considering the feedback and inputs from: • Stakeholders • Interested parties • Previous results of management reviews • Trends related to threats and vulnerabilities • Reported information security incidents • Recommendations from relevant authorities
  • 26. 2.7.2 Procedures • Documented, defined steps for achieving policy objectives • Must be derived from the parent policy • Must be written in clear and concise manner and must be easily understood • Document business processes and embedded controls • More dynamic than respective parent policies
  • 27. 2.8. Risk Management • A process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives and deciding what countermeasures to take in reducing risk to an acceptable level (i.e. residual risk), based on the value of the information resource to the organization • Begins with the clear understanding of the organization’s appetite for risk • RM includes identifying, analyzing, evaluating, treating, monitoring and communicating the impact of risk on IT processes
  • 28. • Risk treatment includes:
  • 29. 2.8.1 Developing a Risk Management Program • Establish the purpose: • Determine the purpose for creating the risk management program • Define KPIs to determine the effectiveness • Senior management, BODs, set the tone and goals for the Risk Management Program • Assign responsibility for the RM plan: • Designate a team or an individual responsible for developing and implementing the risk management program • Integrate Risk Management within all levels of the organization
  • 30. 2.8.2 Risk Management Process • The key management practices include: • Collect data • Analyze risk • Maintain a risk profile • Articulate risk • Define a risk management action portfolio • Respond to risk
  • 31. • Threats: Any circumstance or event with the potential to cause harm to an information resource • Errors, Malicious Damage, Fraud, Theft, Software Failure etc. • Vulnerability: Characteristics of information resources that can be exploited by a threat or a harm • Lack of user knowledge, Lack of security functionality, Untrusted technology etc. • Impact: The result of a threat agent exploiting a vulnerability • Direct loss of money, Breach of Legislation, Loss of Reputation etc. • Risk: Probability of Occurrence * Magnitude of Impact • Risk is proportional to estimated likelihood of the threat and the value of loss/damage
  • 32. 2.8.3 Risk Analysis Methods • Qualitative Analysis: • Use word or descriptive rankings to describe impact or likelihood • Simplest and most frequently used method • Based on checklists and subjective risk ratings like High, Medium, Low • Semi quantitative Analysis: • Rankings are associated with numeric scale • Normally used when it is not possible to utilize a quantitative method or to reduce subjectivity in qualitative methods • E.g. “High” may be given “5”; “Medium” may be given “3”; “Low” may be given “1” • Quantitative Analysis: • Use numeric values to describe impact or likelihood • Usually performed during BIA
  • 33. 2.9. Information Systems Management Practices • Reflect the implementation of policies and procedures developed for various IS-related management activities • Management activities to review the policy/procedure formulations and their effectiveness within the IS department
  • 34. 2.9.1 Human Resource Management • HR management relates to organizational policies and procedures for: • Recruiting • Selecting • Training • Promoting staff • Measuring staff performance, disciplining staff, success planning, and staff retention • Termination
  • 35. 2.9.2 Sourcing Practices • Sourcing practices relate to the way in which the organization obtain the IS functions required to support the business • This may include: • Insourced – Fully performed by organization’s staff • Outsourced – Fully performed by the vendor’s staff • Hybrid – Performed by a mix of organization’s and vendor’s staff • IS functions can be performed across the globe: • Onsite – Staff work onsite in the IS department • Offsite – Also known as near-shore, staff work at a remote location in the same geographic location • Offshore – Staff work in remote location in a different geographic location
  • 36. • Reasons for Outsourcing: • A desire to focus on core activities • Pressure on profit margins • Increasing competition that demands cost savings • Flexibility with respect to both organizations and structure • Enterprise to consider outsourcing provisions in the contracts including security clauses
  • 37.
  • 38. Industry Standards / Benchmarking / Global Practices • Organizations to adhere to a well-defined set of standards • Legal, regulatory and tax issues • Cross-Border and Cross-Cultural issues • Telecommunication issues
  • 39. Governance in Outsourcing • Governance of outsourcing is the set of Roles and Responsibilities, objectives, interfaces, and controls required to anticipate change
  • 40. Service Delivery • Service delivery by a third party includes agreed on security agreements, service definitions, and aspects of service management • Ensure agreed on service continuity levels are maintained following major service failures or disaster
  • 41. Monitoring & Review ofThird-Party Services • Monitor the services provided by third party • Audits to be carried out regularly • Ensure information security terms and conditions of the agreements are being adhered to and managed properly
  • 42. Cloud Governance • Organization to maintain sufficient control and visibility into all security aspects for sensitive or critical information • Ensure to retain visibility in security activities such as change management, identification of vulnerabilities and information security incident reporting
  • 44. Service Improvement & User Satisfaction • Organizations to set service improvement expectations into the contracts with associated penalties and rewards • Service improvements to be agreed on by users and IT with the goals of improving user satisfaction and attaining business objectives • Service improvements to be monitored by interviewing and surveying users
  • 45. 2.9.3 Organizational Change Management • Use a defined and documented process to identify and apply technology improvements at the infrastructure and application level that are beneficial to the organization • IS department is the focal point for such changes
  • 46. 2.9.4 Financial Management Practices • IS Budgets: • Allows forecasting, monitoring and analyzing financial information • Should be linked to short-and-long term IT plans • Software Development: • Accounting standards require to have a detailed understanding of development efforts
  • 47. 2.9.5 Quality Management • One of the means by which IT department-based processes are controlled, measured and improved • Areas of control for quality management may include: • Software development, maintenance and implementation • Acquisition of hardware and software • Day-to-day operations • Service management • Security • HR • Various standards to assist IS organizations in achieving quality • Most prominent is ISO 9001:2008, Quality Management Systems
  • 48. 2.9.6 Information Security Management • Includes BIA, BCP & DRP • Major component is risk management
  • 49. 2.9.7 Performance Optimization • A process of improving information system productivity to the highest level possible without necessary, additional investment in the IT infrastructure • Critical Success Factors (CSF): • Used to create and facilitate action to improve performance and GEIT • Methodologies and Tools: • Various improvement and optimization tools available. E.g. ITIL, COBIT, PDCA, Six Sigma etc.
  • 50. 2.10. IS Organizational Structure & Responsibilities
  • 51. 2.10.1 IS Roles and Responsibilities • Organizational charts provide a clear definition of department’s hierarchy and authorities • JDs, RACI charts, workflow diagrams provide IS department employees a more complete and clear direction regarding their R&R • IS auditor to observe and determine whether formal JDs and structures coincide with real ones and are adequate
  • 52. 2.10.2 Segregation of duties within IS • Actual job titles and organizational structures vary greatly • IS auditor to understand and determine the JDs, responsibilities and authorities, and assess the adequacy of segregation of duties • Duties to be segregated include, but is not limited to: • Custody of assets • Authorization • Recording transactions • When duties are segregated, access to computer, production, data library, production programs etc. are limited, and potential damage from the actions of one person is reduced • IS auditor to understand the risk of combining functions
  • 53. 2.10.3 Segregation of duties controls • Transaction Authorization: • Responsibility of the user department • Periodic checks to be performed to detect unauthorized entry of transactions • Custody of Assets: • Data owner is usually assigned • Access to data: • Controls include a combination of physical, logical, system, application security • Authorization forms: • Define the access rights of each individual • Access privileges to be reviewed periodically to ensure they are current and match user’s job functions
  • 54. Compensating Controls for lack of Segregation of duties • Compensating control measures must exist to mitigate the risk resulting from lack of segregation of duties • Audit Trails: • Provide a map to retrace the flow of transaction • Reconciliation • Exception Reporting • Transaction logs • Supervisory reviews • Independent reviews
  • 55. 2.11. Auditing IT Governance Structure and Implementation • Problems IS auditors may face when auditing IS function: • Excessive Costs • Late Projects • Inexperienced staff • Lack of adequate training • Poor motivation • Unfavorable end-user attitudes
  • 56. 2.11.1 Reviewing Documentation • Documents to be reviewed include: • IT Strategies, plans and budgets • Security policy documentation • Organizational/functional charts • Job descriptions • Steering Committee reports • System development and program change procedures • Operations procedures • HR manuals
  • 57. 2.11.2 Reviewing Contractual Commitments • In reviewing a sample of contracts, IS auditor to evaluate the following: • Service levels • Right to audit or third party audit reporting • Software escrow • Penalties for non-compliance • Contract change process • Contract termination and associated penalties • Protection of customer information
  • 58. 2.12. Business Continuity Planning • Purpose of BC/DR is to enable a business to continue offering critical services in the event of a disruption and to survive disastrous disruption to activities • First step is to identify the business processes of strategic and critical importance • Risk Assessment is conducted • Business Impact Analysis (BIA) is performed • Determine the maximum downtime possible for a particular application and how much data could be lost • BC/DR planning to address various aspects of business continuity and disaster recovery • One ore more plans to support the integrated BC/DR strategy
  • 59. 2.12.1 IS Business Continuity Planning • IS BCP to be aligned with corporate BCP and support the overall strategy • Periodically test BCP plan to ensure it is relevant and up to date
  • 60. 2.12.2 Disasters & Other Disruptive Events • Disasters are disruptions that cause critical information resources to be inoperative for a period of time, adversely impacting organizational operations • Could be few minutes to several months • Reasons include: • Natural calamities • Expected services e.g. power failure, natural gas supply, telecommunications • Human errors e.g. viruses, hacker attacks
  • 61. Dealing with Damage to Image, Reputation or Brand • Rumors or negative public opinion can be costly • Organization’s PR to play an important role in maintaining and improving the image, reputation of the company • Unanticipated/Unforeseeable Events • Unforeseeable (black swan) events are those that are a surprise to the observer e.g. Storm in Abu Dhabi
  • 62. 2.12.3 Business Continuity Planning Process
  • 63. 2.12.4 Business Continuity Policy • Defines the scope and extent of the business continuity effort • Should be proactive • All possible controls to detect and prevent disruptions should be used • Preventive and detective controls to reduce the likelihood of a disruption and corrective actions to mitigate the consequences
  • 64.
  • 65. 2.12.5 BCP Incident Management
  • 66. 2.12.6 Business Impact Analysis (BIA) • BIA to evaluate critical processes and to determine time frames, priorities, resources and interdependencies • To perform BIA, one should obtain an understanding of the organization, key business processes • Requires a high level of senior management support and extensive involvement of IT and end-user personnel • Different approaches to perform BIA • Questionnaire approach • Interviews • Group discussion and brainstorming
  • 67. • Two important factors: • RTO (Recovery Time Objective) • RPO (Recovery Point Objective)
  • 68. 2.12.7 Development of Business Continuity Plans • Based on BIA and Risk Assessment, detailed BCP/DRP is developed • Various factors to consider while developing/reviewing a plan: • Evacuation procedures • Incident response plan • Procedures for declaring a disaster • Roles and Responsibilities • Step-by-step explanation of the recovery process • Copies of the plan to be maintained offsite
  • 69. 2.12.8 Other issues in Plan Development • Management and user involvement is vital to the success of the execution of the BCP • Three major divisions that require involvement in the formulation of BCP: • Support services • Business operations • Information processing support
  • 70. 2.12.9 Components of a BC Plan
  • 71. 2.12.10 PlanTesting • Schedule BC tests at a time that will minimize disruptions to normal operations • Address all critical components and simulate actual primetime processing conditions • It must accomplish the following tasks: • Verify the completeness and precision of BCP • Evaluate the performance of the personnel involved • Evaluate the coordination among the team, external vendors and suppliers • Measure the overall performance of operational and IS processing activities related to maintaining the business entity
  • 72. • Test Execution phases: • Pretest • Test • Posttest • Business Continuity Management Best Practices: • ISACA – COBIT • BCI – Business Continuity Institute • DRII – Disaster Recovery Institute International
  • 73. 2.13. Auditing Business Continuity • Auditor’s tasks include: • Understanding & evaluating BC strategy and its connection to business objectives • Reviewing the BIA findings to ensure that they reflect current business priorities and current controls • Evaluating RTO, RPO • Evaluating offsite storage to ensure its adequacy • Evaluating the ability of personnel to respond effectively in emergency situations
  • 74. 2.13.1 Reviewing the Business Continuity Plan • Review the documents • Review the application(s) covered by the plan • Review the business continuity team(s) • Plan testing
  • 75. 2.13.2 Evaluation of PriorTest Results • BCP coordinator should maintain historical documentation of the results of prior BC tests • IS auditor to review the results and determine whether corrective actions have been incorporated into the plan • Review to determine whether appropriate results were achieved
  • 76. 2.13.3 Evaluation of Offsite Storage • Evaluate to ensure presence, synchronization and currency of critical media and documentation • Includes files, application software, systems software, backup media tapes, necessary supplies etc. • Perform a detailed inventory review
  • 77. 2.13.4 Interviewing key personnel • IS auditor to interview key personnel required for the successful recovery of business operations • To review and verify all key personnel have an understanding of their assigned responsibilities as well as up-to-date detailed documentation describing their tasks
  • 78. 2.13.5 Evaluation of security at Offsite Facility • Evaluate to ensure that it has physical and environmental access controls • Evaluate the security requirements of media transportation
  • 79. 2.13.6 Reviewing Alternative Processing Contract
  • 80. 2.13.7 Reviewing Insurance Coverage • Coverage for media damage, business interruption, equipment replacement and business continuity processing should be reviewed for adequacy
  • 81.
  • 82.
  • 83. Self-Assessment Questions 1. Which of the following would be included in an IS strategic plan? a) Specifications for planned hardware purchases b) Analysis of future business objectives c) Target dates for development projects d) Annual budgetary targets for the IS department
  • 84. Self-Assessment Questions 2. What is considered the MOST critical element for the successful implementation of an IS program? a) An effective ERM framework b) Senior management commitment c) An adequate budgeting process d) Meticulous program planning
  • 85. Self-Assessment Questions 3. An IS auditor should ensure that IT governance performance measures: a) Evaluate the activities of IT oversight committees b) Provide strategic IT drivers c) Adhere to regulatory reporting standards and definitions d) Evaluate the IT department
  • 86. Answers 1. (b) Analysis of future business objectives 2. (b) Senior management commitment 3. (a) Evaluate the activities of IT oversight committees