SlideShare une entreprise Scribd logo

Ch2 2009 cisa

Télécharger en tant que PPT, PDF
A
asrulsani09

Certified Information System Auditor

BusinessTechnologie
1  sur  83
ISACA ® The recognized global leader in IT governance, control, security and assurance
2009 CISA® Review Course Chapter 2 IT Governance
Course Agenda • Learning Objectives • Discuss Task and Knowledge Statements • Discuss specific topics within the chapter • Case studies • Sample questions
Exam Relevance Ensure that the CISA candidate… Understands and can provide assurance that the organization has the structure, policies, accountability mechanisms and monitoring practices in place to achieve the requirements of corporate governance of IT. % of Total Exam Questions The content area in this chapter will Chapter 6 Chapter 1 represent approximately 15% of 14% 10% Chapter 2 the CISA examination 15% (approximately 30 questions). Chapter 5 31% Chapter 3 16% Chapter 4 14%
Chapter 2 Learning Objectives • Evaluate the effectiveness of IT governance structure to ensure adequate board control over the decisions, directions and performance of IT, so it supports the organization's strategies and objectives • Evaluate IT organizational structure and human resources (personnel) management to ensure that they support the organization's strategies and objectives • Evaluate the IT strategy and process for their development, approval, implementation and maintenance to ensure that they support the organization's strategies and objectives
Chapter 2 Learning Objectives (continued) • Evaluate the organization's IT policies, standards, procedures and processes for their development, approval, implementation and maintenance to ensure that they support the IT strategy and comply with regulatory and legal requirements • Evaluate management practices to ensure compliance with the organization's IT strategy, policies, standards and procedures • Evaluate IT resource investment, use and allocation practices to ensure alignment with the organization's strategies and objectives
Chapter 2 Learning Objectives (continued) • Evaluate IT contracting strategies and policies and contract management practices to ensure that they support the organization's strategies and objectives • Evaluate risk management practices to ensure that the organization's IT-related risks are properly managed • Evaluate monitoring and assurance practices to ensure that the board and executive management receive sufficient and timely information about IT performance
2.2 Corporate Governance • Ethical corporate behavior by directors or others charged with governance in the creation and presentation of value for all stakeholders • The distribution of rights and responsibilities among different participants in the corporation, such as board, managers, shareholders and other stakeholders • Establishment of rules to manage and report on business risks
2.3 Monitoring and Assurance Practices for Board and Executive Management • Enterprises are governed by generally accepted good or best practices, the assurance of which is provided by certain controls. From these practices flows the organization’s direction, which indicates certain activities using the organization’s resources. The results of these activities are measured and reported on, providing input to the cyclical revision and maintenance of controls. • IT is also governed by good or best practices that ensure that the organization’s information and related technology support its business objectives, its resources are used responsibly, and its risks are managed appropriately.
2.3 Monitoring and Assurance Practices for Board and Executive Management (continued) • Effective enterprise governance focuses individual and group expertise and experience on specific areas where they can be most effective • IT governance is concerned with two issues: that IT delivers value to the business and that IT risks are managed • IT governance is the responsibility of the board of directors and executive management
Practice Question 2-1 IT governance ensures that an organization aligns its IT strategy with: A. enterprise objectives. B. IT objectives. C. audit objectives. D. control objectives.
2.3.1 Best Practices for IT Governance
2.3.1 Best Practices for IT Governance (continued) IT governance has become significant due to: • Demands for better return from IT investments • Increases in IT expenditures • Regulatory requirements for IT controls • Selection of service providers and outsourcing • Complexity of network security • Adoptions of control frameworks • Benchmarking
2.3.1 Best Practices for IT Governance (continued) Audit role in IT governance • Audit plays a significant role in the successful implementation of IT governance within an organization • Reporting on IT governance involves auditing at the highest level in the organization and may cross division, functional or departmental boundaries
2.3.1 Best Practices for IT Governance (continued) • In accordance with the defined role of the IS auditor, the following aspects related to IT governance need to be assessed: – The IS function’s alignment with the organization’s mission, vision, values, objectives and strategies – The IS function’s achievement of performance objectives established by the business (effectiveness and efficiency) – Legal, environmental, information quality, and fiduciary and security requirements – The control environment of the organization – The inherent risks within the IS environment
2.3.2 IT Strategy Committee • The creation of an IT strategy committee is an industry best practice • Committee should broaden its scope to include not only advice on strategy when assisting the board in its IT governance responsibilities, but also to focus on IT value, risks and performance
2.3.3 Standard IT Balanced Scorecard • A process management evaluation technique that can be applied to the IT governance process in assessing IT functions and processes • Method goes beyond the traditional financial evaluation • One of the most effective means to aid the IT strategy committee and management in achieving IT and business alignment
2.3.4 Information Security Governance • Focused activity with specific value drivers – Integrity of information – Continuity of services – Protection of information assets • Integral part of IT governance • Importance of information security governance
2.3.4 Information Security Governance (continued) Importance of information security governance • Information security (Infosec) covers all information processes, physical and electronic, regardless of whether they involve people and technology or relationships with trading partners, customers and third parties. • Infosec is concerned with all aspects of information and its protection at all points of its life cycle within the organization.
2.3.4 Information Security Governance (continued) Effective information security can add significant value to an organization by: • Providing greater reliance on interactions with trading partners • Improving trust in customer relationships • Protecting the organization’s reputation • Enabling new and better ways to process electronic transactions
2.3.4 Information Security Governance (continued) Outcomes of security governance • Strategic alignment—align with business strategy • Risk management—manage and execute appropriate measures to mitigate risks • Value delivery—optimize security investments • Performance measurement – measure, monitor and report on information security processes • Resource management—utilize information security knowledge and infrastructure efficiently and effectively • Process integration – integration of management assurance processes for security
2.3.4 Information Security Governance (continued) Effective information security governance • To achieve effective information security governance, management must establish and maintain a framework to guide the development and management of a comprehensive information security program that supports business objectives • This framework provides the basis for the development of a cost-effective information security program that supports the organization’s business goals.
2.3.4 Information Security Governance (continued) Information security governance requires strategic direction and impetus from: • Boards of directors / senior management • Executive management • Steering committees • Chief information security officers
2.3.5 Enterprise Architecture • Involves documenting an organization’s IT assets in a structured manner to facilitate understanding, management and planning for IT investments • Often involves both a current state and optimized future state representation
2.3.5 Enterprise Architecture (continued) The Basic Zachman Framework Data Functional Network People Process Strategy Scope Enterprise Model Systems Model Technology Model Detailed Representation
2.3.5 Enterprise Architecture (continued) The Federal Enterprise Architecture (FEA) hierarchy: • Performance • Business • Service component • Technical • Data
2.4.1 Strategic Planning • From an IS standpoint, strategic planning relates to the long-term direction an organization wants to take in leveraging information technology for improving its business processes • Effective IT strategic planning involves a consideration of the organization’s demand for IT and its IT supply capacity
2.4.1 Strategic Planning (continued) • The IS auditor should pay attention to the importance of IT strategic planning • Focus on the importance of a strategic planning process or planning framework • Consider how the CIO or senior IT management are involved in the creation of the overall business strategy
Practice Question 2-2 Which of the following would be included in an IS strategic plan? A. Specifications for planned hardware purchases B. Analysis of future business objectives C. Target dates for development projects D. Annual budgetary targets for the IS department
Practice Question 2-3 Which of the following BEST describes an IT department’s strategic planning process? A. The IT department will have either short-range or long-range plans depending on the organization’s broader plans and objectives. B. The IT department’s strategic plan must be time- and project-oriented, but not so detailed as to address and help determine priorities to meet business needs. C. Long-range planning for the IT department should recognize organizational goals, technological advances and regulatory requirements. D. Short-range planning for the IT department does not need to be integrated into the short-range plans of the organization since technological advances will drive the IT department plans much quicker than organizational plans.
2.4.2 Steering Committee • An organization’s senior management should appoint a planning or steering committee to oversee the IS function and its activities • A high-level steering committee for information technology is an important factor in ensuring that the IS department is in harmony with the corporate mission and objectives
2.5.1 Policies • High-level documents • Represent the corporate philosophy of an organization • Must be clear and concise to be effective
2.5.1 Policies (continued) • Management should review all policies carefully • Policies need to be updated to reflect new technology and significant changes in business processes • Policies formulated must enable achievement of business objectives and implementation of IS controls
2.5.1 Policies (continued) Information security policies • Communicate a coherent security standard to users, management and technical staff • Must balance the level of control with the level of productivity • Provide management the direction and support for information security in accordance with business requirements, relevant laws and regulations
2.5.1 Policies (continued) Information security policy document • Definition of information security • Statement of management intent • Framework for setting control objectives • Brief explanation of security policies • Definition of responsibilities • References to documentation
2.5.1 Policies (continued) Policy groups to be addressed • High-level information security policy • Data classification policy • Acceptable usage policy • End user computing policy • Access control policies
2.5.1 Policies (continued) Review of the information security policy document • Should be reviewed at planned intervals or when significant changes occur to ensure its continuing suitability, adequacy and effectiveness • Should have an owner who has approved management responsibility for the development, review and evaluation of the security policy • Review should include assessing opportunities for improvement to the organization’s information security policy
2.5.2 Procedures Procedures are detailed documents that: • Define and document implementation policies • Must be derived from the parent policy • Must implement the spirit (intent) of the policy statement • Must be written in a clear and concise manner
2.6 Risk Management The process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives
2.6.1 Developing a Risk Management Program To develop a risk management program: • Establish the purpose of the risk management program • Assign responsibility for the risk management plan
2.6.2 Risk Management Process • Identification and classification of information resources or assets that need protection • Assess threats and vulnerabilities and the likelihood of their occurrence • Once the elements of risk have been established they are combined to form an overall view of risk
2.6.2 Risk Management Process (continued) • Evaluate existing controls or design new controls to reduce the vulnerabilities to an acceptable level of risk • Residual risk
2.6.2 Risk Management Process (continued) IT risk management needs to operate at multiple levels including: • Operational—Risks that could compromise the effectiveness of IT systems and supporting infrastructure • Project—Risk management needs to focus on the ability to understand and manage project complexity • Strategic—The risk focus shifts to considerations such as how well the IT capability is aligned with the business strategy
2.6.3 Risk Analysis Methods • Qualitative • Semiquantitative • Quantitative – Probability and expectancy – Annual loss expectancy method
2.6.3 Risk Analysis Methods (continued) Management and IS auditors should keep in mind certain considerations: • Risk management should be applied to IT functions throughout the company • Senior management responsibility • Quantitative RM is preferred over qualitative approaches • Quantitative RM always faces the challenge of estimating risks • Quantitative RM provides more objective assumptions • The real complexity or the apparent sophistication of the methods or packages used should not be a substitute for commonsense or professional diligence • Special care should be given to very high impact events, even if the probability of occurrence over time is very low.
2.7.1 Personnel Management • Hiring • Employee handbook • Promotion policies • Training • Scheduling and time reporting • Employee performance evaluations • Required vacations • Termination policies
2.7.2 Sourcing Practices • Sourcing practices relate to the way an organization obtains the IS function required to support the business • Organizations can perform all IS functions in-house or outsource all functions across the globe • Sourcing strategy should consider each IS function and determine which approach allows the IS function to meet the organization’s goals
2.7.2 Sourcing Practices (continued) Outsourcing practices and strategies • Contractual agreements under which an organization hands over control of part or all of the functions of the IS department to an external party • Becoming increasingly important in many organizations • The IS auditor must be aware of the various forms outsourcing can take as well as the associated risks
2.7.2 Sourcing Practices (continued) Possible advantages: • Commercial outsourcing companies likely to devote more time and focus more efficiently on a given project than in- house staff • Outsourcing vendors likely to have more experience with a wider array of problems, issues and techniques Possible disadvantages: • Costs exceeding customer expectations • Loss of internal IS experience • Loss of control over IS • Vendor failure
2.7.2 Sourcing Practices (continued) Risks can be reduced by: • Establishing measurable, partnership-enacted shared goals and rewards • Using multiple suppliers or withholding a piece of business as an incentive • Performing periodic competitive reviews and benchmarking/bench trending • Implementing short-term contracts • Forming a cross-functional contract management team • Including contractual provisions to consider as many contingencies as can reasonably be foreseen
2.7.2 Sourcing Practices (continued) Globalization practices and strategies • Requires management to actively oversee the remote or offshore locations • The IS auditor can assist an organization in moving IS functions offsite or offshore by ensuring that IS management considers the following: – Legal, regulatory and tax issues – Continuity of operations – Personnel – Telecommunication issues – Cross-border and cross-cultural issues
2.7.2 Sourcing Practices (continued) Governance in outsourcing • Mechanism that allows organizations to transfer the delivery of services to third parties • Accountability remains with the management of the client organization • Transparency and ownership of the decision-making process must reside within the purview of the client
2.7.2 Sourcing Practices (continued) Third-party service delivery management • Every organization using the services of third parties should have a service delivery management system in place to implement and maintain the appropriate level of information security and service delivery in line with third-party service delivery agreements • The organization should check the implementation of agreements, monitor compliance with the agreements and manage changes to ensure that the services delivered meet all requirements agreed to with the third party.
2.7.3 Organizational Change Management What is change management? • Managing IT changes for the organization – Identify and apply technology improvements at the infrastructure and application level
2.7.5 Quality Management • Software development, maintenance and implementation • Acquisition of hardware and software • Day-to-day operations • Service management • Security • Human resource management • General administration
Practice Question 2-4 The MOST important responsibility of a data security officer in an organization is: A. recommending and monitoring data security policies. B. promoting security awareness within the organization. C. establishing procedures for IT security policies. D. administering physical and logical access controls.
Practice Question 2-5 Which of the following is MOST likely to be performed by the security administrator? A. Approving the security policy B. Testing application software C. Ensuring data integrity D. Maintaining access rules
2.7.7 Performance Optimization • Process driven by performance indicators • Optimization refers to the process of improving the productivity of information systems to the highest level possible without unnecessary, additional investment in the IT infrastructure
2.7.7 Performance Optimization (continued) Five ways to use performance measures: • Measure products/services • Manage products/services • Assure accountability • Make budget decisions • Optimize performance
Practice Question 2-6 An IS auditor should ensure that IT governance performance measures: A. evaluate the activities of IT oversight committees. B. provide strategic IT drivers. C. adhere to regulatory reporting standards and definitions. D. evaluate the IT department.
2.8 IS Organizational Structure and Responsibilities
2.8.1 IS Roles and Responsibilities • Systems development manager • Help desk • End user • End user support manager
2.8.1 IS Roles and Responsibilities (continued) • Data management • Quality assurance manager • Vendor and outsourcer management • Operations manager
2.8.1 IS Roles and Responsibilities (continued) • Control group • Media management • Data entry • Systems administration
2.8.1 IS Roles and Responsibilities (continued) • Security administration • Quality assurance • Database administration
2.8.1 IS Roles and Responsibilities (continued) • Systems analyst • Security architect • Applications development and maintenance • Infrastructure development and maintenance • Network management
2.8.2 Segregation of Duties Within IS • Avoids possibility of errors or misappropriations • Discourages fraudulent acts • Limits access to data
2.8.2 Segregation of Duties Within IS (continued)
Practice Question 2-7 Which of the following tasks may be performed by the same person in a well- controlled information processing computer center? A. Security administration and change management B. Computer operations and system development C. System development and change management D. System development and systems maintenance
Practice Question 2-8 Which of the following is the MOST critical control over database administration? A. Approval of DBA activities B. Segregation of duties C. Review of access logs and activities D. Review of the use of database tools
2.8.3 Segregation of Duties Controls Control measures to enforce segregation of duties include: • Transaction authorization • Custody of assets • Access to data – Authorization forms – User authorization tables
2.8.3 Segregation of Duties Controls (continued) Compensating controls for lack of segregation of duties include: • Audit trails • Reconciliation • Exception reporting • Transaction logs • Supervisory reviews • Independent reviews
Practice Question 2-9 When a complete segregation of duties cannot be achieved in an online system environment, which of the following functions should be separated from the others? A. Origination B. Authorization C. Recording D. Correction
Practice Question 2-10 In a small organization, where segregation of duties is not practical, an employee performs the function of computer operator and application programmer. Which of the following controls should an IS auditor recommend? A. Automated logging of changes to development libraries B. Additional staff to provide segregation of duties C. Procedures that verify that only approved program changes are implemented D. Access controls to prevent the operator from making program modifications
2.9 Auditing IT Governance Structure and Implementation Indicators of potential problems include: • Unfavorable end-user attitudes • Excessive costs • Budget overruns • Late projects • High staff turnover • Inexperienced staff • Frequent hardware/software errors
2.9.1 Reviewing Documentation The following documents should be reviewed: • IT strategies, plans and budgets • Security policy documentation • Organization/functional charts • Job descriptions • Steering committee reports • System development and program change procedures • Operations procedures • Human resource manuals • Quality assurance procedures
2.9.2 Reviewing Contractual Commitments There are various phases to computer hardware, software and IS service contracts, including: • Development of contract requirements and service levels • Contract bidding process • Contract selection process • Contract acceptance • Contract maintenance • Contract compliance
Case Study A Scenario An IS auditor has been asked to review the draft of an outsourcing contract and SLA and recommend any changes or point out any concerns prior to these being submitted to senior management for final approval. The agreement includes outsourcing support of Windows and UNIX server administration and network management to a third party. Servers will be relocated to the outsourcer’s facility that is located in another country, and connectivity will be established using the Internet. Operating system software will be upgraded on a semiannual basis, but it will not be escrowed. All requests for addition or deletion of user accounts will be processed within three business days.
Case Study A Scenario (continued) Intrusion detection software will be continuously monitored by the outsourcer and the customer notified by e-mail if any anomalies are detected. New employees hired within the last three years were subject to background checks. Prior to that, there was no policy in place. A right to audit clause is in place, but 24-hour notice is required prior to an onsite visit. If the outsourcer is found to be in violation of any of the terms or conditions of the contract, it will have 10 business days to correct the deficiency. The outsourcer does not have an IS auditor, but it is audited by a regional public accounting firm.
Case Study A Question 1. Which of the following should be of MOST concern to the IS auditor? A. User account changes are processed within three business days. B. Twenty-four hour notice is required prior to an onsite visit. C. The outsourcer does not have an IS audit function. D. Software escrow is not included in the contract.
Case Study A Question 2. Which of the following would be the MOST significant issue to address if the servers contain personally identifiable customer information that is regularly accessed and updated by end users? A. The country in which the outsourcer is based prohibits the use of strong encryption for transmitted data. B. The outsourcer limits its liability if it took reasonable steps to protect the customer data. C. The outsourcer did not perform background checks for employees hired over three years ago. D. System software is only upgraded once every six months.
Conclusion • Chapter 2 Quick Reference Review – Pages 127-128 of CISA Review Manual 2009 • Additional Case Studies – Case Study B – page 130 of CISA Review Manual 2009 – Case Study C – page 131 of CISA Review Manual 2009 – Case Study D – page 132 of CISA Review Manual 2009

Recommandé

CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course PreviewInvensis Learning
 
Isaca crisc-courseware
Isaca crisc-coursewareIsaca crisc-courseware
Isaca crisc-coursewareLaxmi Bank
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainInfosecTrain
 
Direttiva NIS2 - Nuovi obblighi legali di cybersecurity
Direttiva NIS2 - Nuovi obblighi legali di cybersecurityDirettiva NIS2 - Nuovi obblighi legali di cybersecurity
Direttiva NIS2 - Nuovi obblighi legali di cybersecurityGiulio Coraggio
 
Business Continuity (ISO22301) is relevant to PCI DSS v3.2.1 【Continuous Study】
Business Continuity (ISO22301) is relevant to PCI DSS v3.2.1 【Continuous Study】Business Continuity (ISO22301) is relevant to PCI DSS v3.2.1 【Continuous Study】
Business Continuity (ISO22301) is relevant to PCI DSS v3.2.1 【Continuous Study】Jerimi Soma
 
Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Donald E. Hester
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 1: Exam
Understanding the Risk Management Framework & (ISC)2 CAP Module 1: Exam Understanding the Risk Management Framework & (ISC)2 CAP Module 1: Exam
Understanding the Risk Management Framework & (ISC)2 CAP Module 1: Exam Donald E. Hester
 

Recommandé

CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course PreviewInvensis Learning
 
Isaca crisc-courseware
Isaca crisc-coursewareIsaca crisc-courseware
Isaca crisc-coursewareLaxmi Bank
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainInfosecTrain
 
Direttiva NIS2 - Nuovi obblighi legali di cybersecurity
Direttiva NIS2 - Nuovi obblighi legali di cybersecurityDirettiva NIS2 - Nuovi obblighi legali di cybersecurity
Direttiva NIS2 - Nuovi obblighi legali di cybersecurityGiulio Coraggio
 
Business Continuity (ISO22301) is relevant to PCI DSS v3.2.1 【Continuous Study】
Business Continuity (ISO22301) is relevant to PCI DSS v3.2.1 【Continuous Study】Business Continuity (ISO22301) is relevant to PCI DSS v3.2.1 【Continuous Study】
Business Continuity (ISO22301) is relevant to PCI DSS v3.2.1 【Continuous Study】Jerimi Soma
 
Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Donald E. Hester
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 1: Exam
Understanding the Risk Management Framework & (ISC)2 CAP Module 1: Exam Understanding the Risk Management Framework & (ISC)2 CAP Module 1: Exam
Understanding the Risk Management Framework & (ISC)2 CAP Module 1: Exam Donald E. Hester
 
Supply management 1.1.pdf
Supply management 1.1.pdfSupply management 1.1.pdf
Supply management 1.1.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMSAkhil Garg
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NetLockSmith
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016Hafiz Sheikh Adnan Ahmed
 
ISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust FrameworkISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust FrameworkMaganathin Veeraragaloo
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITShivamSharma909
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016Hafiz Sheikh Adnan Ahmed
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operationsPiyush Jain
 
Domain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and TestingDomain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and TestingMaganathin Veeraragaloo
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
ISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdfISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information Systemarif prasetyo
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architectureVladimir Jirasek
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewNaresh Rao
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Overview of BCBS 239
Overview of BCBS 239Overview of BCBS 239
Overview of BCBS 239Lewis Adams
 
CISA exam 100 practice question
CISA exam 100 practice questionCISA exam 100 practice question
CISA exam 100 practice questionArshad A Javed
 
1 q is-auditprocess
1 q is-auditprocess1 q is-auditprocess
1 q is-auditprocessAlamelu Babu
 

Contenu connexe

Tendances

Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMSAkhil Garg
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NetLockSmith
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITShivamSharma909
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operationsPiyush Jain
 
Domain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and TestingDomain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and TestingMaganathin Veeraragaloo
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information Systemarif prasetyo
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architectureVladimir Jirasek
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewNaresh Rao
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Overview of BCBS 239
Overview of BCBS 239Overview of BCBS 239
Overview of BCBS 239Lewis Adams
 

Tendances (20)

Supply management 1.1.pdf
Supply management 1.1.pdfSupply management 1.1.pdf
Supply management 1.1.pdf
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditing
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016
 
ISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust FrameworkISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust Framework
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of IT
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operations
 
Domain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and TestingDomain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and Testing
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 
ISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdfISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdf
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information System
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architecture
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overview
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Overview of BCBS 239
Overview of BCBS 239Overview of BCBS 239
Overview of BCBS 239
 

En vedette

CISA exam 100 practice question
CISA exam 100 practice questionCISA exam 100 practice question
CISA exam 100 practice questionArshad A Javed
 
1 q is-auditprocess
1 q is-auditprocess1 q is-auditprocess
1 q is-auditprocessAlamelu Babu
 
Cisa exam mock test questions-1
Cisa exam mock test questions-1Cisa exam mock test questions-1
Cisa exam mock test questions-1Hemang Doshi
 
Chap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseChap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseDesmond Devendran
 
Information System & IT Audit BML 303 past paper pack 2016
Information System & IT Audit BML 303 past paper pack 2016Information System & IT Audit BML 303 past paper pack 2016
Information System & IT Audit BML 303 past paper pack 2016San King
 
E-commerce Security and Threats
E-commerce Security and ThreatsE-commerce Security and Threats
E-commerce Security and ThreatsBPalmer13
 

En vedette (9)

CISA exam 100 practice question
CISA exam 100 practice questionCISA exam 100 practice question
CISA exam 100 practice question
 
1 q is-auditprocess
1 q is-auditprocess1 q is-auditprocess
1 q is-auditprocess
 
Cisa exam mock test questions-1
Cisa exam mock test questions-1Cisa exam mock test questions-1
Cisa exam mock test questions-1
 
Chap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseChap2 2007 Cisa Review Course
Chap2 2007 Cisa Review Course
 
Information System & IT Audit BML 303 past paper pack 2016
Information System & IT Audit BML 303 past paper pack 2016Information System & IT Audit BML 303 past paper pack 2016
Information System & IT Audit BML 303 past paper pack 2016
 
CISA Training - Chapter 4 - 2016
CISA Training - Chapter 4 - 2016CISA Training - Chapter 4 - 2016
CISA Training - Chapter 4 - 2016
 
des
desdes
des
 
CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016
 
E-commerce Security and Threats
E-commerce Security and ThreatsE-commerce Security and Threats
E-commerce Security and Threats
 

Similaire à Ch2 2009 cisa

IT Governance.pptx
IT Governance.pptxIT Governance.pptx
IT Governance.pptxFaith Shimba
 
Ch2-CIISA_IT Governance.pdf
Ch2-CIISA_IT Governance.pdfCh2-CIISA_IT Governance.pdf
Ch2-CIISA_IT Governance.pdfDanteHayashi
 
Cobit Training course
Cobit Training courseCobit Training course
Cobit Training courseIman Baradari
 
IT Governance Presentation by omaha 2008
IT Governance Presentation by omaha 2008IT Governance Presentation by omaha 2008
IT Governance Presentation by omaha 2008ssusera19f45
 
Cyber Security_Consultant_Nial Lande.pptx
Cyber Security_Consultant_Nial Lande.pptxCyber Security_Consultant_Nial Lande.pptx
Cyber Security_Consultant_Nial Lande.pptxkoushikDutta62
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
Corporate governance of INFORMATION TECHNOLOGY (IT)
Corporate governance of INFORMATION TECHNOLOGY (IT)Corporate governance of INFORMATION TECHNOLOGY (IT)
Corporate governance of INFORMATION TECHNOLOGY (IT)Osman Hasan
 
CISM_WK_1.pptx
CISM_WK_1.pptxCISM_WK_1.pptx
CISM_WK_1.pptxdotco
 
Professional Designations IT Assurance
Professional Designations IT AssuranceProfessional Designations IT Assurance
Professional Designations IT Assurancea3virani
 
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdf
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdfSyllabus CIISA ( Certified Internasional Information System Auditor ).pdf
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdfYoyo Sudaryo
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptxdotco
 
Ch1-201ASasASAsaSAsasaSAsaSAsaaa0_CISA.ppt
Ch1-201ASasASAsaSAsasaSAsaSAsaaa0_CISA.pptCh1-201ASasASAsaSAsasaSAsaSAsaaa0_CISA.ppt
Ch1-201ASasASAsaSAsasaSAsaSAsaaa0_CISA.pptssuserde23af
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit processDivya Tiwari
 
ISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxjojo82637
 
CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)Sam Mandebvu
 

Similaire à Ch2 2009 cisa (20)

IT Governance.pptx
IT Governance.pptxIT Governance.pptx
IT Governance.pptx
 
Ch2-CIISA_IT Governance.pdf
Ch2-CIISA_IT Governance.pdfCh2-CIISA_IT Governance.pdf
Ch2-CIISA_IT Governance.pdf
 
It governance
It governanceIt governance
It governance
 
IT Govenence.pptx
IT Govenence.pptxIT Govenence.pptx
IT Govenence.pptx
 
Cobit Training course
Cobit Training courseCobit Training course
Cobit Training course
 
IT Governance Presentation by omaha 2008
IT Governance Presentation by omaha 2008IT Governance Presentation by omaha 2008
IT Governance Presentation by omaha 2008
 
Cyber Security_Consultant_Nial Lande.pptx
Cyber Security_Consultant_Nial Lande.pptxCyber Security_Consultant_Nial Lande.pptx
Cyber Security_Consultant_Nial Lande.pptx
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
 
it grc
it grc it grc
it grc
 
Sharpening the Lens
Sharpening the LensSharpening the Lens
Sharpening the Lens
 
Corporate governance of INFORMATION TECHNOLOGY (IT)
Corporate governance of INFORMATION TECHNOLOGY (IT)Corporate governance of INFORMATION TECHNOLOGY (IT)
Corporate governance of INFORMATION TECHNOLOGY (IT)
 
CSI principles
CSI principlesCSI principles
CSI principles
 
CISM_WK_1.pptx
CISM_WK_1.pptxCISM_WK_1.pptx
CISM_WK_1.pptx
 
Professional Designations IT Assurance
Professional Designations IT AssuranceProfessional Designations IT Assurance
Professional Designations IT Assurance
 
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdf
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdfSyllabus CIISA ( Certified Internasional Information System Auditor ).pdf
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdf
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptx
 
Ch1-201ASasASAsaSAsasaSAsaSAsaaa0_CISA.ppt
Ch1-201ASasASAsaSAsasaSAsaSAsaaa0_CISA.pptCh1-201ASasASAsaSAsasaSAsaSAsaaa0_CISA.ppt
Ch1-201ASasASAsaSAsasaSAsaSAsaaa0_CISA.ppt
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit process
 
ISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptx
 
CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)
 

Dernier

Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with CultureSeta Wicaksana
 
Famous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st CenturyFamous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st Centuryrwgiffor
 
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Falcon Invoice Discounting
 
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876dlhescort
 
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...allensay1
 
Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxWorkforce Group
 
Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...
Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...
Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...lizamodels9
 
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876dlhescort
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityEric T. Tung
 
PHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPanhandleOilandGas
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwaitdaisycvs
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfAdmir Softic
 
Whitefield CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
Whitefield CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLWhitefield CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
Whitefield CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLkapoorjyoti4444
 
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...Sheetaleventcompany
 
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort ServiceEluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort ServiceDamini Dixit
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentationuneakwhite
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...amitlee9823
 
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...Sheetaleventcompany
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...amitlee9823
 

Dernier (20)

Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with Culture
 
Famous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st CenturyFamous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st Century
 
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
 
Falcon Invoice Discounting platform in india
Falcon Invoice Discounting platform in indiaFalcon Invoice Discounting platform in india
Falcon Invoice Discounting platform in india
 
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876
 
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
 
Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptx
 
Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...
Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...
Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...
 
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 
PHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation Final
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
 
Whitefield CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
Whitefield CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLWhitefield CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
Whitefield CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
 
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
 
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort ServiceEluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentation
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
 
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
 

Ch2 2009 cisa

  • 1. ISACA ® The recognized global leader in IT governance, control, security and assurance
  • 2. 2009 CISA® Review Course Chapter 2 IT Governance
  • 3. Course Agenda • Learning Objectives • Discuss Task and Knowledge Statements • Discuss specific topics within the chapter • Case studies • Sample questions
  • 4. Exam Relevance Ensure that the CISA candidate… Understands and can provide assurance that the organization has the structure, policies, accountability mechanisms and monitoring practices in place to achieve the requirements of corporate governance of IT. % of Total Exam Questions The content area in this chapter will Chapter 6 Chapter 1 represent approximately 15% of 14% 10% Chapter 2 the CISA examination 15% (approximately 30 questions). Chapter 5 31% Chapter 3 16% Chapter 4 14%
  • 5. Chapter 2 Learning Objectives • Evaluate the effectiveness of IT governance structure to ensure adequate board control over the decisions, directions and performance of IT, so it supports the organization's strategies and objectives • Evaluate IT organizational structure and human resources (personnel) management to ensure that they support the organization's strategies and objectives • Evaluate the IT strategy and process for their development, approval, implementation and maintenance to ensure that they support the organization's strategies and objectives
  • 6. Chapter 2 Learning Objectives (continued) • Evaluate the organization's IT policies, standards, procedures and processes for their development, approval, implementation and maintenance to ensure that they support the IT strategy and comply with regulatory and legal requirements • Evaluate management practices to ensure compliance with the organization's IT strategy, policies, standards and procedures • Evaluate IT resource investment, use and allocation practices to ensure alignment with the organization's strategies and objectives
  • 7. Chapter 2 Learning Objectives (continued) • Evaluate IT contracting strategies and policies and contract management practices to ensure that they support the organization's strategies and objectives • Evaluate risk management practices to ensure that the organization's IT-related risks are properly managed • Evaluate monitoring and assurance practices to ensure that the board and executive management receive sufficient and timely information about IT performance
  • 8. 2.2 Corporate Governance • Ethical corporate behavior by directors or others charged with governance in the creation and presentation of value for all stakeholders • The distribution of rights and responsibilities among different participants in the corporation, such as board, managers, shareholders and other stakeholders • Establishment of rules to manage and report on business risks
  • 9. 2.3 Monitoring and Assurance Practices for Board and Executive Management • Enterprises are governed by generally accepted good or best practices, the assurance of which is provided by certain controls. From these practices flows the organization’s direction, which indicates certain activities using the organization’s resources. The results of these activities are measured and reported on, providing input to the cyclical revision and maintenance of controls. • IT is also governed by good or best practices that ensure that the organization’s information and related technology support its business objectives, its resources are used responsibly, and its risks are managed appropriately.
  • 10. 2.3 Monitoring and Assurance Practices for Board and Executive Management (continued) • Effective enterprise governance focuses individual and group expertise and experience on specific areas where they can be most effective • IT governance is concerned with two issues: that IT delivers value to the business and that IT risks are managed • IT governance is the responsibility of the board of directors and executive management
  • 11. Practice Question 2-1 IT governance ensures that an organization aligns its IT strategy with: A. enterprise objectives. B. IT objectives. C. audit objectives. D. control objectives.
  • 12. 2.3.1 Best Practices for IT Governance
  • 13. 2.3.1 Best Practices for IT Governance (continued) IT governance has become significant due to: • Demands for better return from IT investments • Increases in IT expenditures • Regulatory requirements for IT controls • Selection of service providers and outsourcing • Complexity of network security • Adoptions of control frameworks • Benchmarking
  • 14. 2.3.1 Best Practices for IT Governance (continued) Audit role in IT governance • Audit plays a significant role in the successful implementation of IT governance within an organization • Reporting on IT governance involves auditing at the highest level in the organization and may cross division, functional or departmental boundaries
  • 15. 2.3.1 Best Practices for IT Governance (continued) • In accordance with the defined role of the IS auditor, the following aspects related to IT governance need to be assessed: – The IS function’s alignment with the organization’s mission, vision, values, objectives and strategies – The IS function’s achievement of performance objectives established by the business (effectiveness and efficiency) – Legal, environmental, information quality, and fiduciary and security requirements – The control environment of the organization – The inherent risks within the IS environment
  • 16. 2.3.2 IT Strategy Committee • The creation of an IT strategy committee is an industry best practice • Committee should broaden its scope to include not only advice on strategy when assisting the board in its IT governance responsibilities, but also to focus on IT value, risks and performance
  • 17. 2.3.3 Standard IT Balanced Scorecard • A process management evaluation technique that can be applied to the IT governance process in assessing IT functions and processes • Method goes beyond the traditional financial evaluation • One of the most effective means to aid the IT strategy committee and management in achieving IT and business alignment
  • 18.
  • 19. 2.3.4 Information Security Governance • Focused activity with specific value drivers – Integrity of information – Continuity of services – Protection of information assets • Integral part of IT governance • Importance of information security governance
  • 20. 2.3.4 Information Security Governance (continued) Importance of information security governance • Information security (Infosec) covers all information processes, physical and electronic, regardless of whether they involve people and technology or relationships with trading partners, customers and third parties. • Infosec is concerned with all aspects of information and its protection at all points of its life cycle within the organization.
  • 21. 2.3.4 Information Security Governance (continued) Effective information security can add significant value to an organization by: • Providing greater reliance on interactions with trading partners • Improving trust in customer relationships • Protecting the organization’s reputation • Enabling new and better ways to process electronic transactions
  • 22. 2.3.4 Information Security Governance (continued) Outcomes of security governance • Strategic alignment—align with business strategy • Risk management—manage and execute appropriate measures to mitigate risks • Value delivery—optimize security investments • Performance measurement – measure, monitor and report on information security processes • Resource management—utilize information security knowledge and infrastructure efficiently and effectively • Process integration – integration of management assurance processes for security
  • 23. 2.3.4 Information Security Governance (continued) Effective information security governance • To achieve effective information security governance, management must establish and maintain a framework to guide the development and management of a comprehensive information security program that supports business objectives • This framework provides the basis for the development of a cost-effective information security program that supports the organization’s business goals.
  • 24. 2.3.4 Information Security Governance (continued) Information security governance requires strategic direction and impetus from: • Boards of directors / senior management • Executive management • Steering committees • Chief information security officers
  • 25. 2.3.5 Enterprise Architecture • Involves documenting an organization’s IT assets in a structured manner to facilitate understanding, management and planning for IT investments • Often involves both a current state and optimized future state representation
  • 26. 2.3.5 Enterprise Architecture (continued) The Basic Zachman Framework Data Functional Network People Process Strategy Scope Enterprise Model Systems Model Technology Model Detailed Representation
  • 27. 2.3.5 Enterprise Architecture (continued) The Federal Enterprise Architecture (FEA) hierarchy: • Performance • Business • Service component • Technical • Data
  • 28. 2.4.1 Strategic Planning • From an IS standpoint, strategic planning relates to the long-term direction an organization wants to take in leveraging information technology for improving its business processes • Effective IT strategic planning involves a consideration of the organization’s demand for IT and its IT supply capacity
  • 29. 2.4.1 Strategic Planning (continued) • The IS auditor should pay attention to the importance of IT strategic planning • Focus on the importance of a strategic planning process or planning framework • Consider how the CIO or senior IT management are involved in the creation of the overall business strategy
  • 30. Practice Question 2-2 Which of the following would be included in an IS strategic plan? A. Specifications for planned hardware purchases B. Analysis of future business objectives C. Target dates for development projects D. Annual budgetary targets for the IS department
  • 31. Practice Question 2-3 Which of the following BEST describes an IT department’s strategic planning process? A. The IT department will have either short-range or long-range plans depending on the organization’s broader plans and objectives. B. The IT department’s strategic plan must be time- and project-oriented, but not so detailed as to address and help determine priorities to meet business needs. C. Long-range planning for the IT department should recognize organizational goals, technological advances and regulatory requirements. D. Short-range planning for the IT department does not need to be integrated into the short-range plans of the organization since technological advances will drive the IT department plans much quicker than organizational plans.
  • 32. 2.4.2 Steering Committee • An organization’s senior management should appoint a planning or steering committee to oversee the IS function and its activities • A high-level steering committee for information technology is an important factor in ensuring that the IS department is in harmony with the corporate mission and objectives
  • 33. 2.5.1 Policies • High-level documents • Represent the corporate philosophy of an organization • Must be clear and concise to be effective
  • 34. 2.5.1 Policies (continued) • Management should review all policies carefully • Policies need to be updated to reflect new technology and significant changes in business processes • Policies formulated must enable achievement of business objectives and implementation of IS controls
  • 35. 2.5.1 Policies (continued) Information security policies • Communicate a coherent security standard to users, management and technical staff • Must balance the level of control with the level of productivity • Provide management the direction and support for information security in accordance with business requirements, relevant laws and regulations
  • 36. 2.5.1 Policies (continued) Information security policy document • Definition of information security • Statement of management intent • Framework for setting control objectives • Brief explanation of security policies • Definition of responsibilities • References to documentation
  • 37. 2.5.1 Policies (continued) Policy groups to be addressed • High-level information security policy • Data classification policy • Acceptable usage policy • End user computing policy • Access control policies
  • 38. 2.5.1 Policies (continued) Review of the information security policy document • Should be reviewed at planned intervals or when significant changes occur to ensure its continuing suitability, adequacy and effectiveness • Should have an owner who has approved management responsibility for the development, review and evaluation of the security policy • Review should include assessing opportunities for improvement to the organization’s information security policy
  • 39. 2.5.2 Procedures Procedures are detailed documents that: • Define and document implementation policies • Must be derived from the parent policy • Must implement the spirit (intent) of the policy statement • Must be written in a clear and concise manner
  • 40. 2.6 Risk Management The process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives
  • 41. 2.6.1 Developing a Risk Management Program To develop a risk management program: • Establish the purpose of the risk management program • Assign responsibility for the risk management plan
  • 42. 2.6.2 Risk Management Process • Identification and classification of information resources or assets that need protection • Assess threats and vulnerabilities and the likelihood of their occurrence • Once the elements of risk have been established they are combined to form an overall view of risk
  • 43. 2.6.2 Risk Management Process (continued) • Evaluate existing controls or design new controls to reduce the vulnerabilities to an acceptable level of risk • Residual risk
  • 44. 2.6.2 Risk Management Process (continued) IT risk management needs to operate at multiple levels including: • Operational—Risks that could compromise the effectiveness of IT systems and supporting infrastructure • Project—Risk management needs to focus on the ability to understand and manage project complexity • Strategic—The risk focus shifts to considerations such as how well the IT capability is aligned with the business strategy
  • 45. 2.6.3 Risk Analysis Methods • Qualitative • Semiquantitative • Quantitative – Probability and expectancy – Annual loss expectancy method
  • 46. 2.6.3 Risk Analysis Methods (continued) Management and IS auditors should keep in mind certain considerations: • Risk management should be applied to IT functions throughout the company • Senior management responsibility • Quantitative RM is preferred over qualitative approaches • Quantitative RM always faces the challenge of estimating risks • Quantitative RM provides more objective assumptions • The real complexity or the apparent sophistication of the methods or packages used should not be a substitute for commonsense or professional diligence • Special care should be given to very high impact events, even if the probability of occurrence over time is very low.
  • 47. 2.7.1 Personnel Management • Hiring • Employee handbook • Promotion policies • Training • Scheduling and time reporting • Employee performance evaluations • Required vacations • Termination policies
  • 48. 2.7.2 Sourcing Practices • Sourcing practices relate to the way an organization obtains the IS function required to support the business • Organizations can perform all IS functions in-house or outsource all functions across the globe • Sourcing strategy should consider each IS function and determine which approach allows the IS function to meet the organization’s goals
  • 49. 2.7.2 Sourcing Practices (continued) Outsourcing practices and strategies • Contractual agreements under which an organization hands over control of part or all of the functions of the IS department to an external party • Becoming increasingly important in many organizations • The IS auditor must be aware of the various forms outsourcing can take as well as the associated risks
  • 50. 2.7.2 Sourcing Practices (continued) Possible advantages: • Commercial outsourcing companies likely to devote more time and focus more efficiently on a given project than in- house staff • Outsourcing vendors likely to have more experience with a wider array of problems, issues and techniques Possible disadvantages: • Costs exceeding customer expectations • Loss of internal IS experience • Loss of control over IS • Vendor failure
  • 51. 2.7.2 Sourcing Practices (continued) Risks can be reduced by: • Establishing measurable, partnership-enacted shared goals and rewards • Using multiple suppliers or withholding a piece of business as an incentive • Performing periodic competitive reviews and benchmarking/bench trending • Implementing short-term contracts • Forming a cross-functional contract management team • Including contractual provisions to consider as many contingencies as can reasonably be foreseen
  • 52. 2.7.2 Sourcing Practices (continued) Globalization practices and strategies • Requires management to actively oversee the remote or offshore locations • The IS auditor can assist an organization in moving IS functions offsite or offshore by ensuring that IS management considers the following: – Legal, regulatory and tax issues – Continuity of operations – Personnel – Telecommunication issues – Cross-border and cross-cultural issues
  • 53. 2.7.2 Sourcing Practices (continued) Governance in outsourcing • Mechanism that allows organizations to transfer the delivery of services to third parties • Accountability remains with the management of the client organization • Transparency and ownership of the decision-making process must reside within the purview of the client
  • 54. 2.7.2 Sourcing Practices (continued) Third-party service delivery management • Every organization using the services of third parties should have a service delivery management system in place to implement and maintain the appropriate level of information security and service delivery in line with third-party service delivery agreements • The organization should check the implementation of agreements, monitor compliance with the agreements and manage changes to ensure that the services delivered meet all requirements agreed to with the third party.
  • 55. 2.7.3 Organizational Change Management What is change management? • Managing IT changes for the organization – Identify and apply technology improvements at the infrastructure and application level
  • 56. 2.7.5 Quality Management • Software development, maintenance and implementation • Acquisition of hardware and software • Day-to-day operations • Service management • Security • Human resource management • General administration
  • 57. Practice Question 2-4 The MOST important responsibility of a data security officer in an organization is: A. recommending and monitoring data security policies. B. promoting security awareness within the organization. C. establishing procedures for IT security policies. D. administering physical and logical access controls.
  • 58. Practice Question 2-5 Which of the following is MOST likely to be performed by the security administrator? A. Approving the security policy B. Testing application software C. Ensuring data integrity D. Maintaining access rules
  • 59. 2.7.7 Performance Optimization • Process driven by performance indicators • Optimization refers to the process of improving the productivity of information systems to the highest level possible without unnecessary, additional investment in the IT infrastructure
  • 60. 2.7.7 Performance Optimization (continued) Five ways to use performance measures: • Measure products/services • Manage products/services • Assure accountability • Make budget decisions • Optimize performance
  • 61. Practice Question 2-6 An IS auditor should ensure that IT governance performance measures: A. evaluate the activities of IT oversight committees. B. provide strategic IT drivers. C. adhere to regulatory reporting standards and definitions. D. evaluate the IT department.
  • 62. 2.8 IS Organizational Structure and Responsibilities
  • 63. 2.8.1 IS Roles and Responsibilities • Systems development manager • Help desk • End user • End user support manager
  • 64. 2.8.1 IS Roles and Responsibilities (continued) • Data management • Quality assurance manager • Vendor and outsourcer management • Operations manager
  • 65. 2.8.1 IS Roles and Responsibilities (continued) • Control group • Media management • Data entry • Systems administration
  • 66. 2.8.1 IS Roles and Responsibilities (continued) • Security administration • Quality assurance • Database administration
  • 67. 2.8.1 IS Roles and Responsibilities (continued) • Systems analyst • Security architect • Applications development and maintenance • Infrastructure development and maintenance • Network management
  • 68. 2.8.2 Segregation of Duties Within IS • Avoids possibility of errors or misappropriations • Discourages fraudulent acts • Limits access to data
  • 69. 2.8.2 Segregation of Duties Within IS (continued)
  • 70. Practice Question 2-7 Which of the following tasks may be performed by the same person in a well- controlled information processing computer center? A. Security administration and change management B. Computer operations and system development C. System development and change management D. System development and systems maintenance
  • 71. Practice Question 2-8 Which of the following is the MOST critical control over database administration? A. Approval of DBA activities B. Segregation of duties C. Review of access logs and activities D. Review of the use of database tools
  • 72. 2.8.3 Segregation of Duties Controls Control measures to enforce segregation of duties include: • Transaction authorization • Custody of assets • Access to data – Authorization forms – User authorization tables
  • 73. 2.8.3 Segregation of Duties Controls (continued) Compensating controls for lack of segregation of duties include: • Audit trails • Reconciliation • Exception reporting • Transaction logs • Supervisory reviews • Independent reviews
  • 74. Practice Question 2-9 When a complete segregation of duties cannot be achieved in an online system environment, which of the following functions should be separated from the others? A. Origination B. Authorization C. Recording D. Correction
  • 75. Practice Question 2-10 In a small organization, where segregation of duties is not practical, an employee performs the function of computer operator and application programmer. Which of the following controls should an IS auditor recommend? A. Automated logging of changes to development libraries B. Additional staff to provide segregation of duties C. Procedures that verify that only approved program changes are implemented D. Access controls to prevent the operator from making program modifications
  • 76. 2.9 Auditing IT Governance Structure and Implementation Indicators of potential problems include: • Unfavorable end-user attitudes • Excessive costs • Budget overruns • Late projects • High staff turnover • Inexperienced staff • Frequent hardware/software errors
  • 77. 2.9.1 Reviewing Documentation The following documents should be reviewed: • IT strategies, plans and budgets • Security policy documentation • Organization/functional charts • Job descriptions • Steering committee reports • System development and program change procedures • Operations procedures • Human resource manuals • Quality assurance procedures
  • 78. 2.9.2 Reviewing Contractual Commitments There are various phases to computer hardware, software and IS service contracts, including: • Development of contract requirements and service levels • Contract bidding process • Contract selection process • Contract acceptance • Contract maintenance • Contract compliance
  • 79. Case Study A Scenario An IS auditor has been asked to review the draft of an outsourcing contract and SLA and recommend any changes or point out any concerns prior to these being submitted to senior management for final approval. The agreement includes outsourcing support of Windows and UNIX server administration and network management to a third party. Servers will be relocated to the outsourcer’s facility that is located in another country, and connectivity will be established using the Internet. Operating system software will be upgraded on a semiannual basis, but it will not be escrowed. All requests for addition or deletion of user accounts will be processed within three business days.
  • 80. Case Study A Scenario (continued) Intrusion detection software will be continuously monitored by the outsourcer and the customer notified by e-mail if any anomalies are detected. New employees hired within the last three years were subject to background checks. Prior to that, there was no policy in place. A right to audit clause is in place, but 24-hour notice is required prior to an onsite visit. If the outsourcer is found to be in violation of any of the terms or conditions of the contract, it will have 10 business days to correct the deficiency. The outsourcer does not have an IS auditor, but it is audited by a regional public accounting firm.
  • 81. Case Study A Question 1. Which of the following should be of MOST concern to the IS auditor? A. User account changes are processed within three business days. B. Twenty-four hour notice is required prior to an onsite visit. C. The outsourcer does not have an IS audit function. D. Software escrow is not included in the contract.
  • 82. Case Study A Question 2. Which of the following would be the MOST significant issue to address if the servers contain personally identifiable customer information that is regularly accessed and updated by end users? A. The country in which the outsourcer is based prohibits the use of strong encryption for transmitted data. B. The outsourcer limits its liability if it took reasonable steps to protect the customer data. C. The outsourcer did not perform background checks for employees hired over three years ago. D. System software is only upgraded once every six months.
  • 83. Conclusion • Chapter 2 Quick Reference Review – Pages 127-128 of CISA Review Manual 2009 • Additional Case Studies – Case Study B – page 130 of CISA Review Manual 2009 – Case Study C – page 131 of CISA Review Manual 2009 – Case Study D – page 132 of CISA Review Manual 2009

Notes de l'éditeur

  1. Instructor Directions: Advise participants that the course will be interactive and will include “audience participation”, breakout sessions, practice questions, assignments and references to additional study resources. Exam Preparation resources: CISA Review Manual 2009 CISA QAE 2009 CISA QAE Supplement 2009
  2. Content to Emphasize: The content area in this chapter will represent approximately 15% of the CISA examination   Review Manual Reference Pages: p. 77 
  3. Instructor Directions: Task and knowledge statements represent the basis from which exam items are written. The learning objectives are what the IS auditors/CISA candidates are expected to know to perform their job duties. In order to perform all of the tasks, the IS auditor/CISA candidate should have a firm grasp of all the knowledge statements found in the CISA Review Manual. Content to Emphasize: For more detailed information on how each knowledge statement maps back to the task statements, please refer to Exhibit 2.1—Tasks and Knowledge Statements Mapping. Review Manual reference pages: pgs. 77-80
  4. Instructor Directions: The learning objectives are what IS auditors/CISA candidates are expected to know to perform their job duties. In order to perform all of the tasks, the IS auditor/CISA candidate should have a firm grasp of all the knowledge statements found in the manual.   Content to Emphasize: For more detailed information on how each knowledge statement maps back to the task statements, please refer to Exhibit 2.1—Tasks and Knowledge Statements Mapping. Review Manual Reference Pages: pgs. 77-80
  5. Instructor Directions: The learning objectives are what IS auditors/CISA candidates are expected to know to perform their job duties. In order to perform all of the tasks, the IS auditor/CISA candidate should have a firm grasp of all the knowledge statements found in the manual.   Content to Emphasize: For more detailed information on how each knowledge statement maps back to the task statements, please refer to Exhibit 2.1—Tasks and Knowledge Statements Mapping. Review Manual Reference Pages: pgs. 77-80
  6. Instructor Directions: Discuss the overall concept of corporate governance.     Content to Emphasize: The Organisation for Economic Co-operation and Development (OECD) states: "Corporate governance involves a set of relationships between a company’s management, its board, its shareholders and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined. Good corporate governance should provide proper incentives for the board and management to pursue objectives that are in the interests of the company and its shareholders and should facilitate effective monitoring..” (OECD 2004, OECD Principles of Corporate Governance , p.11) With respect to public governance, the OECD states: “Good, effective public governance helps to strengthen democracy and human rights, promote economic prosperity and social cohesion, reduce poverty, enhance environmental protection and the sustainable use of natural resources, and deepen confidence in government and public administration.” (OECD website on Public Governance and Management ).   Review Manual Reference Pages: p. 80
  7. Review Manual Reference Pages: p. 81
  8. Content to Emphasize: Information technology is now regarded as an integral part of that strategy. C-suite executives agree that strategic alignment between IT and enterprise objectives is a critical success factor. Information technology is so critical to the success of enterprises that it cannot be relegated to either IT management or IT specialists, but must receive the attention of both, in coordination with senior management. IT governance is the responsibility of the board of directors and executive management. A key element of IT governance is the alignment of business and IT, leading to the achievement of business value. The key IT governance practices are IT strategy committee, risk management and standard IT balanced scorecard.   Review Manual Reference Pages: p. 81
  9. The correct answer is A IT governance ensures that the organization aligns its IT strategy with the enterprise/business objectives. Choices B, C and D are too limited. Review Manual Reference Pages: p. 133
  10. Content to Emphasize:   IT governance structure IT governance purpose and integration Corporate governance Review Manual Reference Pages: p. 82
  11. Review Manual Reference Pages: p. 82
  12. Content to Emphasize: The IS auditor should confirm that the terms of reference state the: • Scope of the work • Reporting line to be used • IS auditor’s right of access to information    Review Manual Reference Pages: p. 83
  13. Content to Emphasize: The organizational status and skill sets of the IS auditor should be considered for appropriateness with regard to the nature of the planned audit.   Review Manual Reference Pages: p. 83
  14. Review Manual Reference Pages: p. 83
  15. Content to Emphasize: Discuss the three-layered structure used in addressing the four perspectives for an IT Balanced Scorecard: Mission Strategies Measures   Review Manual Reference Pages: pgs. 83-85
  16. Instructor Directions: Discuss the roles and responsibilities of the IT Steering and Strategy Committees. Review Manual Reference Pages: p. 84
  17. Review Manual Reference Pages: p. 85
  18. Content to Emphasize: One of the major trends: outsourcing of in-house processes. Note: Information security coverage extends beyond the geographic boundary of the organization’s premises in onshoring and offshoring models being adopted by organizations. This trend has changed the way in which information security is managed.   Review Manual Reference Pages: pgs. 85-86
  19.   Review Manual Reference Pages: p. 87
  20. Review Manual Reference Pages: p. 87
  21. Content to Emphasize: The governance framework will generally consist of: • A comprehensive security strategy intrinsically linked with business objectives • Governing security policies that address each aspect of strategy, controls and regulation • A complete set of standards for each policy to ensure procedures and guidelines comply with policy • An effective security organizational structure void of conflicts of interest   Review Manual Reference Pages: p. 88
  22. Review Manual Reference Pages: pgs. 88-89
  23. Instructor Directions:   The exhibit (2.4) on Relationships of Security Governance Outcomes to Management Responsibilities is not specifically tested in the CISA exam but is information a CISA should be aware of. Content to Emphasize: The current focus on EA is a response to the increasing complexity of IT, the complexity of modern organizations, and an enhanced focus on aligning IT with business strategy and ensuring IT investments deliver real returns. Review Manual Reference Pages: p. 89
  24. Content to Emphasize: The ultimate objective is to complete all cells of the matrix. The idea is to provide guidance on issues such as: whether and when to use advanced technical environments how to better connect intra- and interorganizational systems how to “web enable” legacy and enterprise resource planning (ERP) applications whether to insource or outsource IT functions   Review Manual Reference Pages: pgs. 90-91
  25. Content to Emphasize: The FEA has a hierarchy of five reference models: • Performance reference model—A framework to measure the performance of major IT investments and their contribution to program performance • Business reference model—A function-driven framework that describes the functions and subfunctions performed by the government, independent of the agencies that actually perform them • Service component reference model—A functional framework that classifies the service components that support business and performance objectives • Technical reference model—A framework that describes how technology supports the delivery, exchange and construction of service components • Data reference model—While still being developed, this will describe the data and information that support program and business line operations   Review Manual Reference Pages: p. 91
  26. Content to Emphasize:   The importance of developing strategic plans What makes a plan effective Who creates the plan   Review Manual Reference Pages: p. 92
  27. Content to Emphasize: Discuss the IS auditor’s role in evaluating the strategic plan, process and framework Consider how the CIO or senior IT management are involved in the creation of the overall business strategy Repercussions of poor strategic plans/processes   Review Manual Reference Pages: p. 92
  28. The correct answer is B IS strategic plans must address the needs of the business and meet future business objectives. Hardware purchases may be outlined, but not specified, and neither budget targets nor development projects are relevant choices. Choices A, C and D are not strategic items. Review Manual Reference Pages: p. 133
  29. The correct answer is C Long-range planning for the IT department should recognize organizational goals, technological advances and regulatory requirements. Typically, the IT department will have long-range and short-range plans that are consistent and integrated with the organization’s plans. These plans must be time- and project-oriented, as well as address the organization’s broader plans toward attaining its goals. Review Manual Reference Pages: p. 133
  30. Instructor Directions: Consider that the responsibilities will vary from organization to organization and that these responsibilities listed are the most common of the steering committee. The CISA candidate should know the purpose of the IS steering committee and it’s major responsibilities.   Content to Emphasize: Primary functions performed by this committee include: • Review the long- and short-range plans of the IS department to ensure that they are in accordance with the corporate objectives. • Review and approve major acquisitions of hardware and software within the limits approved by the board of directors. • Approve and monitor major projects and the status of IS plans and budgets, establish priorities, approve standards and procedures, and monitor overall IS performance. • Review and approve sourcing strategies for select, or all, IS activities, including insourcing or outsourcing, and the globalization or offshoring of functions. • Review adequacy of resources and allocation of resources in terms of time, personnel and equipment. • Make decisions regarding centralization vs. decentralization and assignment of responsibility. • Support development and implementation of an enterprisewide information security management program. • Report to the board of directors on IS activities.     Review Manual Reference Pages: p. 93
  31. Instructor Directions: Discuss advantages and disadvantages to top-down and bottom-up approaches to developing policies.   Content to Emphasize: Policies represent the corporate philosophy of an organization and the strategic thinking of senior management and the business process owners. individual divisions and departments should define lower-level policies. The lower-level policies should be consistent with the corporate-level policies. These would apply to the employees and operations of these units, and would focus at the operational level. Review Manual Reference Pages: p. 94
  32. Content to Emphasize: IS auditors should: reach an understanding of policies as part of the audit process test policies for compliance consider the extent to which the policies apply to third parties or outsourcers, the extent to which they comply with the policies, or if the third parties or outsourcers’ policies are in conflict with the organizations’ policies. Review Manual Reference Pages: p. 94
  33. Review Manual Reference Pages: p. 95
  34. Review Manual Reference Pages: p. 95
  35. Content to Emphasize: High-level Information Security Policy: This policy should include statements on confidentiality, integrity and availability. Data Classification Policy: This policy should describe the classifications, levels of control at each classification and responsibilities of all potential users including ownership. Acceptable Usage Policy: There must be a comprehensive policy that includes information for all information resources (HW/SW, Networks, Internet, etc.) and describes the organizational permissions for the usage of IT and information-related resources. End User Computing Policy: This policy describes the parameters and usage of desktop tools by users. Access Control Policies: This policy describes the method for defining and granting access to users to various IT resources Review Manual Reference Pages: pgs. 95-96
  36. Instructor Directions: The IS auditor should be aware of what needs to be reviewed during an assessment of an Information Security Policy.   Content to Emphasize:   The input to the management review should include: • Feedback from interested parties • Results of independent reviews • Status of preventive and corrective actions • Results of previous management reviews • Process performance and information security policy compliance • Changes that could affect the organization’s approach to managing information security, including changes to the organizational environment; business circumstances; resource availability; contractual, regulatory and legal conditions; or technical environment • Usage of the consideration of outsourcers or offshore of IT or business functions • Trends related to threats and vulnerabilities • Reported information security incidents • Recommendations provided by relevant authorities   Review Manual Reference Pages: p. 96
  37. Content to Emphasize: An independent review is necessary to ensure that policies and procedures have been properly documented, understood and implemented   Review Manual Reference Pages: p. 97
  38. Review Manual Reference Pages: p. 97
  39. Review Manual Reference Pages: p. 98
  40. Content to Emphasize: Examples of typical assets associated with information and IT include: • Information and data • Hardware • Software • Services • Documents • Personnel   Common classes of threats are: • Errors • Malicious damage/attack • Fraud • Theft • Equipment/software failure Review Manual Reference Pages: p. 98
  41. Content to Emphasize: Final acceptance of residual risks takes into account: • Organizational policy • Risk identification and measurement • Uncertainty incorporated in the risk assessment approach • Cost and effectiveness of implementation Review Manual Reference Pages: p. 99
  42. Instructor Directions: Discuss the different risk management levels.   Review Manual Reference Pages: p. 99
  43. Review Manual Reference Pages: p. 100
  44. Review Manual Reference Pages: p. 101
  45. Instructor Directions: The IS auditor should be aware of personnel management issues but this information is not tested in the CISA exam due to its subjectivity and organizational-specific subject matter. Review Manual Reference Pages: pgs. 101-104
  46. Instructor Directions: Discuss how IS functions can be delivered.   Content to Emphasize: Delivery of IS functions can include: • Insourced—Fully performed by the organization’s staff • Outsourced—Fully performed by the vendor’s staff • Hybrid—Performed by a mix of the organization’s and vendor’s staff; can include joint ventures/supplemental staff IS functions can be performed across the globe, taking advantage of time zones and arbitraging labor rates, and can include: • Onsite—Staff work onsite in the IS department • Offsite—Also known as nearshore, staff work at a remote location in the same geographical area • Offshore—Staff work at a remote location in a different geographic region Review Manual Reference Pages: p. 104
  47. Content to Emphasize:   Reasons for outsourcing include: • A desire to focus on core activities • Pressure on profit margins • Increasing competition that demands cost savings • Flexibility with respect to both organization and structure The services provided by a third party can include: • Data entry • Design and development of new systems in the event that the in-house staff does not have the requisite skills or is otherwise occupied in higher-priority tasks, or in the event of a one-time task in which case there is no need to recruit additional in-house skilled staff • Maintenance of existing applications to free in-house staff to develop new applications • Conversion of legacy applications to new platforms. For example, a specialist company may web-enable the front end of an old application. • Operating the help desk or the call center • Operations processing Review Manual Reference Pages: Pgs. 104-105
  48. Review Manual Reference Pages: pgs. 105-106
  49. Instructor Directions: Discuss how risks can be reduced   Content to Emphasize: SLAs: are a contractual means of helping the IS department to manage information resources under the control of a vendor. stipulate and commit a vendor to a required level of service and support options. should serve as an instrument of control. Where the outsourcing vendor is from another country, the organization should be aware of cross-border legislation. Review Manual Reference Pages: p. 106
  50. Review Manual Reference Pages: p. 107
  51. Review Manual Reference Pages: p. 108
  52. Review Manual Reference Pages: pgs. 109-110
  53. Review Manual Reference Pages: p. 111
  54. Instructor Directions: The IS auditor should be aware of quality management. However, the CISA exam does not test specifics on any ISO standards. Review Manual Reference pgs. 111-113
  55. The correct answer is A A data security officer’s prime responsibility is recommending and monitoring data security policies. Promoting security awareness within the organization is one of the responsibilities of a data security officer. But, it is not as important as recommending and monitoring data security policies. The IT department, not the data security officer, is responsible for establishing procedures for IT security policies recommended by the data security officer and for the administration of physical and logical access controls. Review Manual Reference p. 133
  56. The correct answer is D Maintaining access rules over data and IT resources is one of the primary functions of the security administrator. Approving the security policy is the responsibility of senior management. Maintaining and implementing this is the responsibility of the security administrator. Testing application software is the function of the programmer or user. Ensuring data integrity is the responsibility of the user and processing controls built into the application. Review Manual Reference p. 133
  57. Content to Emphasize: The broad phases of performance measurement are: • Establishing and updating performance measures • Establishing accountability for performance measures • Gathering and analyzing performance data • Reporting and using performance information Caveats of performance measurement include: • Model—A model is built or established first to evaluate the performance and alignment with the business objectives. • Measurement error—Conventional measures do not properly account for the true inputs and outputs. • Lags—Time lags between expense and benefit are not properly accounted for in current measures. • Redistribution—IT is used to redistribute the source of costs in firms; there is no difference in total output, only in the means of getting it. • Mismanagement—The lack of explicit measures of the value of information makes resources vulnerable to misallocation and overconsumption by managers. As a result, proper performance measurement techniques will play an increasing role for program managers and investment review boards. Review Manual Reference Pages: pgs. 114-115
  58. Content to Emphasize: COBIT management guidelines are primarily designed to meet the needs of IT management for performance measurement. Goals and metrics and maturity models are provided for each of the 34 IT processes. These are generic and action-oriented for the purpose of addressing the following types of management concerns: • Performance measurement—What are the indicators of good performance? • IT control profiling—What is important? What are the critical success factors for control? • Awareness—What are the risks of not achieving our objectives? • Benchmarking—What do others do? How are they measured and compared? From a control perspective, the management guidelines address the key issue of determining the right level of control for IT such that it supports the objectives of the enterprise. Review Manual Reference Pages: p. 115
  59. The correct answer is A Evaluating the activities of boards and committees providing oversight is an important aspect of governance and should be measured. Choices B, C and D are all irrelevant to the evaluation of IT governance performance measures. Review Manual Reference Pages: p. 133
  60. Instructor Directions: The CISA exam does not test specific job responsibilities since they might vary within organizations. However, universally known responsibilities such as the business owners, information security functions and executive management might be tested, especially when testing access controls and data ownership. The IS auditor should be familiar with separation of duties. Review Manual Reference Pages: p. 116
  61. Instructor Directions: Explain the responsibilities of each role. Review Manual Reference Pages pgs. 116-117
  62. Content to Emphasize: Quality assurance manager—Responsible for negotiating and facilitating quality activities in all areas of information technology With the increase in outsourcing, including the use of multiple vendors, dedicated staff may be required to manage the vendors and outsourcers, including performing the following functions: • Act as the prime contact for the vendor and outsourcer within the IS function. • Provide direction to the outsourcer on issues and escalate internally within the organization and IS function. • Monitor and report on the service levels to management. • Review changes to the contract due to new requirements and obtain IS approvals. Review Manual Reference Pages: pgs. 116-117
  63. Review Manual Reference Pages: pgs. 117-118
  64. Review Manual Reference Pages: pgs. 118-119
  65. Review Manual Reference Pages: pgs. 119-120
  66. Content to Emphasize: Duties that should be segregated include: • Custody of the assets • Authorization • Recording transactions If adequate segregation of duties does not exist, the following could occur: • Misappropriation of assets • Misstated financial statements • Inaccurate financial documentation (i.e., errors or irregularities) • Improper use of funds or modification of data could go undetected Review Manual Reference Pages: pgs. 120-121
  67. Instructor Directions: The segregation of duties control matrix (exhibit 2.9) is not an industry standard, but a guideline indicating which positions should be separated and which require compensating controls when combined. The matrix is illustrative of potential segregation of duties issues and should not be viewed or used as an absolute. Rather, it should be used to help identify potential conflicts so proper questions may be asked to identify compensating controls. Review Manual Reference Pages : p. 121
  68. The correct answer is D It is common for system development and maintenance to be undertaken by the same person. In both, the programmer requires access to the source code in the development environment, but should not be allowed access in the production environment. Choice A is not correct because the roles of security administration and change management are incompatible functions. The level of security administration access rights could allow changes to go undetected. Computer operations and system development (choice B) are incompatible, since it would be possible for an operator to run a program that he/she had amended. Choice C is incorrect because the combination of system development and change control would allow program modifications to bypass change control approvals. Review Manual Reference Pages : p. 133
  69. The correct answer is B Segregation of duties will prevent combination of conflicting functions. This is a preventive control, and it is the most critical control over database administration. Approval of DBA activities does not prevent the combination of conflicting functions. Review of access logs and activities is a detective control. If DBA activities are improperly approved, review of access logs and activities may not reduce the risk. Reviewing the use of database tools does not reduce the risk, as this is only a detective control and does not prevent combination of conflicting functions. Review Manual Reference Pages : p. 133
  70. Review Manual Reference Pages: pgs. 122-123
  71. Instructor Directions: Describe each of the compensating controls listed on the slide Review Manual Reference Pages: pgs. 123-124
  72. The correct answer is B Authorization should be separated from all aspects of record keeping (origination, recording and correction). Such a separation enhances the ability to detect the recording of unauthorized transactions. Review Manual Reference Pages: p. 133
  73. The correct answer is C In smaller organizations, it generally is not appropriate to recruit additional staff to achieve a strict segregation of duties. The IS auditor must look at alternatives. Of the choices, C is the only practical one that has an impact. The IS auditor should recommend processes that detect changes to production source and object code, such as code comparisons, so the changes can be reviewed by a third party on a regular basis. This would be a compensating control process. Choice A, involving logging of changes to development libraries, would not detect changes to production libraries. Choice D is in effect requiring a third party to do the changes, which may not be practical in a small organization. Review Manual Reference Pages: p. 134
  74. Review Manual Reference Pages: pgs. 124-125
  75. Review Manual Reference Pages: p. 125
  76. Instructor Directions: An IS auditor should be familiar with the RFP process and know what needs to be reviewed in an RFP. It is also important to note that a CISA should know, from a governance perspective, the evaluation criteria and methodology of an RFP, and the requirements to meet organizational standards. Content to Emphasize: In reviewing a sample of contracts, the IS auditor should evaluate the adequacy of the following terms and conditions: • Service levels • Right to audit or third party audit reporting • Software escrow • Penalties for noncompliance • Adherence to security policies and procedures • Protection of customer information • Contract change process • Contract termination and any associated penalties Review Manual Reference Pages: pgs. 125-126
  77. Instructor Directions: Discuss case study Review Manual Reference Pages: p. 129
  78. Review Manual Reference Pages: p. 129
  79. The correct answer is A Three business days to remove the account of a terminated employee would create an unacceptable risk to the organization. In the intervening time, significant damage could be done. In contrast, some degree of advance notice prior to an onsite visit is generally accepted within the industry. Also, not every outsourcer will have its own internal audit function or IS auditor. Software escrow is primarily of importance when dealing with custom application software, where there is a need to store a copy of the source code with a third party. Operating system software for generally available commercial operating systems would not require software escrow. Review Manual Reference Pages: p. 135
  80. The correct answer is A Since connectivity to the servers is over the Internet, the prohibition against strong encryption will place any transmitted data at risk. The limitation of liability is a standard industry practice. Although the failure to perform background checks for employees hired more than three years ago is of importance, it is not as significant an issue. Upgrading system software once every six months does not present any significant exposure. Review Manual Reference Pages: p. 135