Certified Information Systems Auditor [CISA] Examination Preparation

(Domain 2 : GOVERNANCE AND MANAGEMENT OF IT )

Presented by

Hasan- Al- Monsur (Rajib)

• Cyber Security Specialist ,CISA , CEH , ISO27001 LA, CPISI & Director-Membership, ISACA Dhaka Chapter
 ISACA Membership No: 886319
 IEB Membership No: M/32774 (Life Time)
 Member of The Institute of Internal Auditors (IIA) Bangladesh ; IIA Membership No: 2124863
 Bangladesh Computer Society (BCS) Membership No : M/1919 (Life Time)
 Masters In Information Security (Cyber Security ,1st Batch In BD) MISS (BUP) ,MBA (Finance& Marketing) ,B.Sc.
Engineering in ETE
Certified Payment-Card Industry Security Implementer (CPISI) ; Certificate No : 014865
 RHCSA,RHCE ITIL(F),PRINCE2(F) ,VSP,VTSP,MCT,MCP,MCTS,MS,MCSA (2008 ,2012 &SQL Server 2012),MCITP(Enterprise
Administrator),MCSE 2012 (Server Infrastructure ,Private Cloud)
Symantec Technical Specialist(STS) In Netbackup, SSP, SSE,SSE+ .
• Trainer on CISA exam preparation courses at AT COMPUTERS ( Athorized ISACA Exam center)
• Trainer on Certified Information Systems Auditor (CISA ) courses at ISACA Dhaka Chapter ,
• Guest trainer on cyber security course at Bangladesh Computer Society
• Guest trainer on Cyber Security, Ethical hacking courses at New Horizons CLC of Bangladesh
• Guest trainer on Cyber Security, CISA , Banking Security courses at TMSS ICT And many training Organizations.
 Domain 2

• Governance and Management of IT

Domain 2

Provide assurance that the necessary leadership and

organizational structures and processes are in place
to achieve the objectives and to support the
enterprise’s strategy.
Domain 2

• The focus of Domain 2 is the knowledge of IT

governance, which is fundamental to the work of
the IS auditor and for the development of sound
control practices and mechanisms for management
oversight and review.
 Overview Of Domain 2

• Governance and management of IT are integral parts of

enterprise governance. Effective governance and
management of IT consist of the leadership and
organizational structures and processes that ensure that
the enterprise’s IT sustains and extends the enterprise’s
strategy and objectives.
• Knowledge of IT governance is fundamental to the work
of the IS auditor, and it forms the foundation for the
development of sound control practices and mechanisms
for management oversight and review.
Domain Objectives

• The objective of this domain is to ensure that the

CISA candidate is prepared for the role of completing
a review in the following areas to ensure that IT
governance requirements are met:

• Organizational structure
• Management policies
• Accountability mechanisms
• Monitoring practices
 Domain 2— Governance and Management of IT
DOMAIN 2 EXAM CONTENT OUTLINE
.
A. IT Governance
1. IT Governance and IT Strategy

2. IT-Related Frameworks

3. IT Standards, Policies, and Procedures

4. Organizational Structure

5. Enterprise Architecture

6. Enterprise Risk Management

7. Maturity Models

8. Laws, Regulations, and Industry Standards affecting the Organization

B. IT Management
1. IT Resource Management

2. IT Service Provider Acquisition and Management

3. IT Performance Monitoring and Reporting

4. Quality Assurance and Quality Management of IT

On the CISA Exam

• Domain 2 represents 17 percent of the CISA

examination (approximately 26 questions).

• Domain 2 incorporates 14 tasks related to the

management of IT governance.
 LEARNING OBJECTIVES/TASK
STATEMENTS for domain 2
Within this domain 2, the IS auditor should be able to:
• Evaluate the IT strategy for alignment with the organization’s
strategies and objectives. (T5)
• Evaluate the effectiveness of IT governance structure and IT
organizational structure. (T6)
• Evaluate the organization’s management of IT policies and
practices. (T7)
• Evaluate the organization’s IT policies and practices for
compliance with regulatory and legal requirements. (T8)
• Evaluate IT resource and portfolio management for alignment
with the organization’s strategies and objectives. (T9)
 LEARNING OBJECTIVES/TASK
STATEMENTS for domain 2
Within domain 2 , the IS auditor should be able to (Cont. ):
• Evaluate the organization’s risk management policies and
practices. (T10)
• Evaluate IT management and monitoring of controls. (T11)
• Evaluate the monitoring and reporting of IT key performance
indicators (KPIs). (T12)
• Evaluate whether IT supplier selection and contract
management processes align with business requirements. (T15)
• Evaluate whether IT service management practices align with
business requirements. (T20)
 LEARNING OBJECTIVES/TASK
STATEMENTS for domain 2
Within domain 2 , the IS auditor should be able to (Cont. ):
• Conduct periodic review of information systems and enterprise
architecture. (T21)
• Evaluate data governance policies and practices. (T25)
• Evaluate the information security program to determine its
effectiveness and alignment with the organization’s strategies
and objectives. (T34)
• Evaluate potential opportunities and threats associated with
emerging technologies, regulations, and industry practices.
(T39)
 SELF-ASSESSMENT QUESTIONS
for Domain 2

• CISA self-assessment questions support the content in this

presentations and provide an understanding of the type
and structure of questions that typically appear on the
exam. Often, a question will require the candidate to
choose the MOST likely or BEST answer among the options
provided. Please note that these questions are not actual
or retired exam items.
Q: 2-1

• In order for management to effectively monitor the

compliance of processes and applications, which of the
following would be the MOST ideal?
• A. A central document repository
• B. A knowledge management system
• C. A dashboard
• D. Benchmarking
ANSWERS TO SELF-ASSESSMENT
QUESTIONS : 2-1 (C)
Q: 2-2

• Which of the following would be included in an IS

strategic plan?
• A. Specifications for planned hardware purchases
• B. Analysis of future business objectives
• C. Target dates for development projects
• D. Annual budgetary targets for the IT department
 ANSWERS TO SELF-ASSESSMENT
QUESTIONS : 2-2 (B )
• A. Specifications for planned hardware purchases are not
strategic items.
• B. IS strategic plans must address the needs of the business
and meet future business objectives. Hardware purchases
may be outlined, but not specified, and neither budget
targets nor development projects are relevant choices.
• C. Target dates for development projects are not strategic
items.
• D. Annual budgetary targets for the IT department are not
strategic items.
Q: 2-3

• Which of the following BEST describes an IT

department’s strategic planning process?

• A. The IT department will have either short- or long-range plans depending on the
organization’s broader plans and objectives.
• B. The IT department’s strategic plan must be time- and project oriented but not so
detailed as to address and help determine priorities to meet business needs.
• C. Long-range planning for the IT department should recognize organizational goals,
technological advances and regulatory requirements.
• D. Short-range planning for the IT department does not need to be integrated into
the short-range plans of the organization since technological advances will drive the
IT department plans much quicker than organizational plans.
ANSWERS TO SELF-ASSESSMENT
QUESTIONS : 2-3 (C )
Q: 2-4
ANSWERS TO SELF-ASSESSMENT
QUESTIONS : 2-4 ( A)
 Q: 2-5

• What is considered the MOST critical element for the

successful implementation of an information security
program?

• A. An effective enterprise risk management framework

• B. Senior management commitment
• C. An adequate budgeting process
• D. Meticulous program planning
ANSWERS TO SELF-ASSESSMENT
QUESTIONS : 2-5 (B )
Q: 2-6
ANSWERS TO SELF-ASSESSMENT
QUESTIONS : 2-6 ( A)
Q: 2-7
ANSWERS TO SELF-ASSESSMENT
QUESTIONS : 2-7 (D )
Q: 2-8
 ANSWERS TO SELF-ASSESSMENT
QUESTIONS : 2-8 (B )
• A. Approval of database administration (DBA) activities does
not prevent the combination of conflicting functions. Review
of access logs and activities is a detective control.
• B. Segregation of duties (SoD) will prevent combination of
conflicting functions. This is a preventive control, and it is
the most critical control over DBA.
• C. If DBA activities are improperly approved, review of
access logs and activities may not reduce the risk.
• D. Reviewing the use of database tools does not reduce the
risk because this is only a detective control and does not
prevent combination of conflicting functions.
Q: 2-9
ANSWERS TO SELF-ASSESSMENT
QUESTIONS : 2-9 ( B )
Q: 2-10
ANSWERS TO SELF-ASSESSMENT
QUESTIONS : 2-10 (C )
 PART A: IT GOVERNANCE

• 1.0 INTRODUCTION
• IT governance is not an isolated discipline. Rather, it is an
integral part of a comprehensive enterprise/corporate
governance program and shares the objectives of providing
strategic direction, ensuring that objectives are achieved,
ascertaining that risk is managed appropriately and
verifying that resources are used responsibly. The IT
governance process usually starts with setting objectives
for an enterprise’s IT, and then a continuous loop is created
to measure performance, benchmark against objectives,
and move forward or change direction, as appropriate.
 2.1 IT GOVERNANCE AND IT STRATEGY

• The board of directors is responsible for the governance of

the enterprise. IT governance consists of the leadership and
organizational structures and processes that ensure the
enterprise sustains and extends strategies and objectives.
2.1 IT GOVERNANCE AND IT STRATEGY
Figure 2.1 illustrates the components of an enterprise governance framework.
 Key Terms

Key Term Definition

Strategic The process of deciding on the enterprise’s
planning objectives, on changes in these objectives, and
the policies to govern their acquisition and use

IT strategic plan A long-term plan (i.e., three- to five-year

horizon) in which business and IT management
cooperatively describe how IT resources will
contribute to the enterprise’s strategic
objectives (goals)
Governance of Enterprise IT

• Corporate governance is a set of responsibilities and

practices used by an organization’s management to
provide strategic direction.
• Governance of enterprise IT (GEIT) implies a system in
which all stakeholders provide input into the decision-
making process.
• GEIT is concerned with the stewardship of IT resources
on behalf of these stakeholders.
GEIT Implementation

• The GEIT framework is implemented through practices

that provide feedback regarding two fundamental
issues:
• That IT delivers value to the enterprise
• That IT risk is properly managed
GEIT Implementation (cont’d)

• Broad processes in GEIT implementation include:

• IT resource management — Focuses on maintaining
updated inventory of IT resources; addresses risk
management process
• Performance measurement — Ensures that all IT
resources perform to deliver value to the enterprise
• Compliance management — Addresses legal,
regulatory and contractual compliance requirements
GEIT Good Practices

• GEIT is a structure of relationships and processes

used to direct and control the enterprise toward
achievement of its goals.
• The topics that management must address to govern
IT within the enterprise are each concerned with
value creation.
 GEIT Good Practices (cont’d)
Figure 2.3─COBIT 5 Governance and Management Areas
Business Needs

Governance

Evaluate

Management
Direct Feedback Monitor

Management

Plan Build Run Monitor

(APO) (BAI) (DSS) (MEA)

Source: ISACA, COBIT 5, USA, 2012, figure 15

41 © Copyright 2016 ISACA. All rights reserved.

The Role of Audit in GEIT

• Audit plays a significant role in the implementation of GEIT.

• It offers these benefits:
• Provides leading practice recommendations to senior
management
• Helps ensure compliance with GEIT initiatives
• Provides independent and balanced view to facilitate
quantitative improvement of IT processes
Areas of GEIT Audit

• In accordance with the define role of the IS auditor, the

following aspects of GEIT must be assessed:
• Alignment of enterprise governance and GEIT
• Alignment of the IT function with the organizational
mission, vision, values, objectives and strategies
• Achievement of performance objectives
• Compliance with legal, environmental, fiduciary, security
and privacy requirements
Areas of GEIT Audit (cont’d)

• The control environment of the organization, the

inherent risk present, and IT investment and
expenditure must also be assessed.
2.2 IT-RELATED FRAMEWORKS

• The IT-RELATED frameworks help organizations

address business issues through governance and
management of information and technology, starting
with aligning high-level strategic objectives with
operational-level objectives and then direct work
outcomes. The key to maximizing value is to consider
EGIT synergistically in the overall enterprise
governance hierarchy.
2.2 IT-RELATED FRAMEWORKS (Cont.)

• Several frameworks provide standards for GEIT,

including:
• COBIT 5
• ISO/IEC 27000
• Information Technology Infrastructure Library
• ISO/IEC 20000
• ISO 31000:2018: Risk management
2.2 IT-RELATED FRAMEWORKS (Cont.)

• Examples of EGIT frameworks include the following:

• COBIT was developed by ISACA to support EGIT by providing a framework to ensure
that IT is aligned with the business, IT enables the business and maximizes benefits,
IT resources are used responsibly, and IT risk is managed appropriately. COBIT
provides tools to assess and measure the performance of IT processes within an
organization.
• The International Organization for Standardization (ISO)/International
Electrotechnical Commission (IEC) 27000 series is a set of best practices that
provides guidance to organizations implementing and maintaining information
security programs. ISO/IEC 27001 has become a well-known standard in the
industry
• The Information Technology Infrastructure Library (ITIL®) was developed by the UK
Office of Government Commerce (OGC), in partnership with the IT Service
Management Forum, and is a detailed framework with hands-on information
regarding how to achieve successful operational service management of IT. It also
includes business value delivery.
 2.2 IT-RELATED FRAMEWORKS (Cont.)

• ISO/IEC 38500:2015: Information technology—Governance of IT for the organization

provides guiding principles for members of governing bodies of organizations on the
effective, efficient and acceptable use of IT within an organization.
• ISO/IEC 20000 is a specification for service management that is aligned with ITIL’s
service management framework. It is divided into two parts. ISO/IEC 20000-1:2018
consists of specific requirements for service management improvement, and ISO/IEC
20000-2:2012 provides guidance and examples for the application of ISO/IEC 20000-
1:2018.
• ISO 31000:2018: Risk management—Guidelines provides guidelines on and a
common approach to risk management for organizations.
• The Open Information Security Management Maturity Model (OISM3) is a process-
based ISM maturity model for security.
 2.3 IT STANDARDS, POLICIES AND
PROCEDURES

• There is broad range of interpretation of policies, standards,

procedures and guidelines. The definitions used in this slides
agree with the major standards bodies and should be
adopted to preclude miscommunication.
• Policies and standards are considered tools of governance
and management, respectively, and procedures and
guidelines the purview of operations.
 2.3.1 STANDARDS

• A standard is a mandatory requirement, code of practice or

specification approved by a recognized external standards organization.
Professional standards refer to standards issued by professional
organizations, such as ISACA, with related guidelines and techniques
that assist the professional in implementing and complying with other
standards. Corporate standards are documents that set the specific
criteria to which items conform.
• Departmental or division-level IT system standards define the specific
level of configuration and performance benchmarks.
• Standards are part of the IS audit scope and should be tested for
compliance.
2.3.1 Standards (cont’d)

• IS hardening and service levels should be in alignment with

applicable standards, and auditors should use the standards
as a benchmark for evaluating compliance.
• Like policies, the IS auditor must also consider whether and
to what extent standards pertain to third parties and
outsourcers, whether these parties comply with the
standards and whether the standards of these parties conflict
with those of the organization.
2.3.2 POLICIES

• Policies are the high-level statements of management intent,

expectations and direction.
• Corporate policies are high-level documents that set the tone
for an organization as a whole.
• Departmental or division-level policies define lower-level goals
and directives.
• Policies are part of the IS audit scope and should be tested for
compliance.
2.3.2 Policies (cont’d)

• IS controls should flow from an enterprise’s policies, and

auditors should use the policies as a benchmark for
evaluating compliance.
• The IS auditor must also consider whether and to what extent
policies pertain to third parties and outsourcers, whether
these parties comply with the policies and whether the
policies of these parties conflict with those of the
organization.
2.3.2 Information Security Policy

• A security policy for information and related technology is a

first step toward building the security infrastructure for
technology-driven organizations.
• It communicates a coherent security standard to users,
management and technical staff.
• This policy should be used by IS auditors as a reference
framework for performing audit assignments.
• The adequacy and appropriateness of the policy is also an
area of review during an IS audit.
2.3.2 Policy Components

• The information security policy may comprise a set of policies,

generally addressing the following concerns:
• High-level information security policy — Includes statements
on confidentiality, integrity and availability
• Data classification policy — Provides classifications and levels
of control at each classification
• End-user computing policy — Identifies the parameters and
usage of desktop, mobile and other tools
• Access control policy — Describes methods for defining and
granting access to users of various IT resources
• Acceptable use policy (AUP) — Controls the use of information
system resources through defining how IT resources may be
used by employees
2.3.3 PROCEDURES

• The documented, defined steps in procedures aid in

achieving policy objectives.
• Procedures documenting business and aligned IT processes
and their embedded controls are formulated by process
owners.
• To be effective, procedures must:
• Be frequently reviewed and updated
• Be communicated to those affected by them
• An IS auditor examines procedures to identify and evaluate
controls to ensure that control objectives are met.
 2.3.4 GUIDELINES

• Guidelines for executing procedures are also the responsibility of

operations.
• Guidelines should contain information that will be helpful in
executing the procedures. This can include clarification of policies
and standards, dependencies, suggestions and examples,
narrative clarifying the procedures, background information that
may be useful, and tools that can be used.
• Guidelines can be useful in many other circumstances as well, but
they are considered here in the context of information security
governance.
 2.4 ORGANIZATIONAL STRUCTURE

• Organizational structure is a key component to governance. It

identifies the key decision-making entities in an enterprise.
• The following section provides guidance for organizational
structures, roles and responsibilities within EGIT.
• Actual structures may differ depending on the size, industry and
location of an enterprise.
 Key Terms

Key Term Definition

Governance Ensuring that stakeholder needs, conditions and
options are evaluated to determine balanced,
agreed-on enterprise objectives to be achieved;
setting direction through prioritization and
decision making; and monitoring performance
and compliance against agreed-on direction and
objectives
2.4.1 IT Governing Committees

• Organizations often have executive-level strategy

and steering committees to handle organization-
wide IT issues.
• The IS auditor should know the responsibilities of,
authority possessed by and membership of such
committees.
2.4.1 IT Governing Committees

• Traditionally, organizations have had executive-level steering

committees to handle IT issues that are relevant organization
wide. There should be a clear understanding of both the IT
strategy and steering levels. ISACA has issued a document
offering a clear analysis (figure 2.3). Organizations may also
have other executive-and mid-management-led committees
guiding IT operations, such as an IT executive committee, IT
governance committee, IT investment committee and/or IT
management committee.
 IT Committee Analysis

Level IT Strategy Committee IT Steering Committee

Responsibility Provides insight and advice to Decides the level and allocation of
the board across a range of IT IT spending, aligns and approves
topics the enterprise’s IT architecture,
and other oversight functions.
Authority Advises the board and Assists the executive in the
management on IT strategy, delivery of IT strategy, overseeing
focusing on current and management of IT service delivery,
future strategic IT issues projects and implementation
Membership Includes board members and Includes sponsoring executive,
specialist non-board business executive (key users),
members chief information officer (CIO) and
key advisors, as required
2.4.1 IT Governing Committees
Figure 2.3—Analysis of IT Steering Committee Responsibilities
2.4.1 IT Governing Committees
Figure 2.3—Analysis of IT Steering Committee Responsibilities(Cont.)
2.4.2 ROLES AND RESPONSIBILITIES OF SENIOR MANAGEMENT AND BOARDS OF
DIRECTORS (Matrix of Outcomes and Responsibilities)
2.4.3 IT ORGANIZATIONAL STRUCTURE AND
RESPONSIBILITIES

• Within an organization, the IT department can be structured

in a variety of ways.
• An organizational chart provides a clear definition of a
department’s hierarchy and lines of authority.
• The IS auditor should compare observed roles and
responsibilities with formal organizational structures and
job descriptions.
2.4.3 IT ORGANIZATIONAL STRUCTURE AND
RESPONSIBILITIES (Cont.)

.
2.4.3 IT ORGANIZATIONAL STRUCTURE AND
RESPONSIBILITIES (Cont.)
IT Functions

• Generally, the following IT functions should be reviewed by

the IS auditor:
• Systems development management
• Project management
• Help or service desk administration
• End-user activities and their management
• Data management
• Quality assurance management
• Information security management
2.4.3 IT ORGANIZATIONAL STRUCTURE AND
RESPONSIBILITIES
IT Functions (cont’d)

• Additionally, these functions should be reviewed by the IS

auditor:
• Vendor and outsourcer management
• Infrastructure operations and maintenance
• Removable media management
• Data entry
• Supervisory control and data acquisition
• Systems and security administration
• Database administration
• Applications and infrastructure development and
maintenance
• Network management
2.4.3 IT ORGANIZATIONAL STRUCTURE AND
RESPONSIBILITIES
 System development manager
 Responsible for programmers and analyst who implement new
system and maintain existing systems
 Project Manager
 Responsible for planning and executing IT projects
 Utilized budgets assign for projects to deliver IS initiatives and
report on project progress to the steering committee
 Service desk (Help desk)
 Acquiring hardware/software on behalf of end user
 Assisting end users with hardware/software difficulties
 Training end users to user hardware/software and database
 Answering queries of end users
 Monitoring technical developments and informing end users of
pertinent developments
 Determine the source of problems with production systems and
initiating corrective actions
 Informing end users of problem with hardware/software or database
that could affect their control of the installment of hardware/
software upgrade
 Initiating changes to improve efficiency
2.4.3 IT ORGANIZATIONAL STRUCTURE AND
RESPONSIBILITIES
 End user
 Responsible for operation related to business application
 End user support manager
 Responsible as a liaison between the IS department and end user
 Data management
 Responsible for data architect
 Tasked with managing data as corporate asset
 QA manager
 Responsibility for negotiating and facilitating quality activities
 Information Security management
 Generally needs to be separate from the IS department and headed
by CISO
 CISO directly or dotted reported to CIO
 May have conflict with CIO. CIO’s responsibility is to provide
continuous service, but the CISO may not be less interested in cost
reduction if this impacts the quality of protection
2.4.3 IT ORGANIZATIONAL STRUCTURE AND
RESPONSIBILITIES

 Vendor and Outsource management

 Act as a prime contact for the vendor and outsourcers within
IS functions
 Provide direction to the outsourcer on the issue and escalate
internally within the organization and IS function
 Monitor and report on the service level to management
 Review changes to the contract due to new requirements and
obtain approval
 Infrastructure operations and maintenance
 Operation manager responsible for computer operations and
personnel, including all the staff required to run data centre
efficiently and effectively
 Control Group
 Control group is responsible for the collection, conversion
and control of input and balancing and distribution of output
to the user community
2.4.3 IT ORGANIZATIONAL STRUCTURE AND
RESPONSIBILITIES
 Media Management
 Media management is required to required to record, issue, receive, and
safeguard all program and data files that are maintained on removal
media
 Full time or a member of operation team can perform
 Many organization provide additional support for the function through
the use of software to maintain version control and configuration
management
 Data entry
 Information processing activity
 Can be batch or online entry
 Personnel in user department do their own data entry online
 Data are captured from original source(example EDI, barcode)
 System administration
 Responsible for maintaining major multiuser computer, including LAN,
WLAN, WAN, PAN, SAN
 Typical duty includes
 Adding and configuring new workstation and peripherals
 Setting up user accounts
 Installing system wide software
 Performing procedures to prevent / detect/ correct spread of virus
 Allocation mass storage space
2.4.3 IT ORGANIZATIONAL STRUCTURE AND
RESPONSIBILITIES
 Security administration
 Begin with the management commitment. Management must
 understand and evaluate security risk
 Develop and enforce written policy
 Clearly stated the standard and procedure to follow
 Define the role in the policy
 Should be full time employee with proper segregation of duty
 Reporting to Infrastructure director
 Major functions
 Maintain access rule to data and other IT resource
 Maintain security and confidentiality over the issuance and
maintenance of authorized user ID and passwords
 Monitoring security violations and taking corrective action
 Periodic review on security policy
 Preparing and monitoring security awareness program
 Test the security architecture
 Working with risk management, compliance and audit program
2.4.3 IT ORGANIZATIONAL STRUCTURE AND
RESPONSIBILITIES
 Quality assurance
 Ensuring the quality of a service or product
 In charge of developing, promulgating and maintaining
standards for the IS function
 Provide training in QA standards and procedures
 Periodically checking the accuracy and authenticity of the
input, processing and output of various application
 QA personnel
 Process oriented
 Planned and systematic pattern of all actions necessary to provide
adequate confidence that an item or product conforms to
established technical requirement
 QC personnel
 Product oriented
 Observation techniques and activities used to fulfill requirement for
quality. QC is responsible for conducting tests or review to verify
and ensure that software is free from defects and meets user
expectation
2.4.3 IT ORGANIZATIONAL STRUCTURE AND
RESPONSIBILITIES
 Database Administrator (DBA)
 Custodian of organizational data
 Defines and maintains the data structure in the corporate
database systems
 Must understand the organization, and user data and data
relationship requirement
 Responsible for the security of the share data stored in
database
 Usually report to the director of the IPE
 IS department must exercise close controls over database
administration
 Segregation of duty
 Management approval of DBA activities
 Supervisor review of access logs and activities
 Detective controls over the use of database tools
2.4.3 IT ORGANIZATIONAL STRUCTURE AND
RESPONSIBILITIES
 Systems Analyst
 Designed the system based on the needs of the user and are
usually involved during the initial phase of the system
development lifecycle
 Security Architect
 Evaluates security technologies
 Design security aspects of the network topology, access
control, identity management and other security systems
 Establish security policy and security requirement
 Application development and Maintenance
 Responsible for developing and maintaining applications
 Development can include developing new code or changing
the existing setup or configuration of the system
 Application development team can work on test environment;
separate team have permission to do change in production
system
2.4.3 IT ORGANIZATIONAL STRUCTURE AND
RESPONSIBILITIES
 Infrastructure development and maintenance
 Responsible for maintaining the systems software, including OS
 May require broad access to the entire system
 IS management must closely monitor activities by requiring that that
electronic logs capture this activity and are not susceptible to
alternation
 Usages of domain administration and super user accounts should be
tightly controlled and monitored
 Network Management
 LAN: Local Area Network at branches and remote locations
 WAN:LAN’s may be interconnection for ease of access by authorized
personnel from other locations
 Wireless networks: Established through personal digital assistants
[PDA] and other mobile device
 Network administrator
 Responsible for key components of this infrastructure (routers, switch,
firewall, network segments, performance management, remote access,
etc)
2.4.4 SEGREGATION OF DUTIES
WITHIN IT
• While actual job titles and organizational structures vary
across enterprises, an IS auditor must obtain enough
information to understand and document the relationships
among various job functions, responsibilities and
authorities.
• The IS auditor must also assess the adequacy of SoD.
• SoD limits the possibility that a single person will be
responsible for functions in such a way that errors or
misappropriations could occur undetected.
• SoD is an important method to discourage and prevent
fraudulent or malicious acts.
2.4.4 SEGREGATION OF DUTIES WITHIN IT
SoD Guidelines
• Duties that should be segregated include:
• Asset custody
• Authorization capability
• Transaction recording
• Both IS and end-user departments should be organized to
meet SoD policies.
 2.4.5 AUDITING IT GOVERNANCE STRUCTURE AND
IMPLEMENTATION

• While many conditions concern the IS auditor when auditing the IT function, some of
the more significant indicators of potential problems include:
• Excessive costs
• Budget overruns
• Late projects
• High staff turnover
• Inexperienced staff
• Frequent HW/SW errors
• An excessive backlog of user requests
• Slow computer response time
• Numerous aborted or suspended development projects
• Unsupported or unauthorized HW/SW purchases
• Frequent HW/SW upgrades
• Extensive exception reports
• Exception reports that were not followed up
• Lack of succession plans
• A reliance on one or two key personnel
• Lack of adequate training
2.5 Enterprise Architecture

• Enterprise architecture (EA) is a practice focused on

documenting an organization’s IT assets in a
structured manner.
• EA facilitates the understanding of, management of,
and planning for IT investments through comparison
of the current state and an optimized future state.
2.5 Enterprise Architecture (cont’d)

• EA can be approached from one of two differing

perspectives, as follows:
• Technology-driven EA — Seeks to clarify the complex
technology choices faced by an organization in order to
provide guidance on the implementation of various
solutions.
• Business-driven EA — Attempts to understand the
organization in terms of its core processes, and derive the
optimum mix of technologies needed to support these
processes.
2.5 Enterprise Architecture (cont’d)
The basic Zachman framework is shown in figure2.7
 2.6 ENTERPRISE RISK
MANAGEMENT
• Risk management is the process of identifying vulnerabilities and
threats to the information resources used by an organization in
achieving business objectives and deciding what countermeasures
(safeguards or controls), if any, to take in reducing risk to an
acceptable level (i.e., residual risk), based on the value of the
information resource to the organization.

• The process of risk management focuses on an enterprise’s

information resources.
• To be effective, the process must begin with an understanding of
senior management’s appetite for risk.
 2.6 ENTERPRISE RISK MANAGEMENT
Key Terms
Key Term Definition
IT risk The business risk associated with the use, ownership,
operation, involvement, influence and adoption of IT within
an enterprise.
Risk management 1. The coordinated activities to direct and control an
enterprise with regard to risk.
2. One of the governance objectives. Entails recognizing risk;
assessing the impact and likelihood of that risk; and
developing strategies, such as avoiding the risk, reducing
the negative effect of the risk and/or transferring the risk,
to manage it within the context of the enterprise’s risk
appetite.
2.6 ENTERPRISE RISK
MANAGEMENT (cont’d)
• Four possible responses to risk are:
• Avoidance — elimination of the cause of the risk
• Mitigation — reduction of the probability of a risk’s
occurrence or of its impact
• Transfer — sharing of risk with partners, such as through
insurance or joint ventures
• Acceptance — formal acknowledgment of the presence
of risk with a commitment to monitor it
• A fifth response, rejection of risk through choosing to ignore
it, is not considered effective risk management. The presence
of this risk response should be a red flag for the IS auditor.
2.6.2 RISK MANAGEMENT PROCESS

Asset Identification • Identify resources or assets that are vulnerable to

threats.
Objective:
A cost-
Threat Assessment • Determine threats and vulnerabilities associated with effective
the asset.
balance
between
Impact Evaluation • Describe what will happen should a vulnerability be significant
exploited.
threats and
the
Risk Calculation • Form an overall view of risk, based on the probability application
of occurrence and the magnitude of impact.
of controls to
those
Risk Response • Evaluate existing controls and implement new threats.
controls designed to bring residual risk into alignment
with enterprise risk appetite.

88 © Copyright 2016 ISACA. All rights reserved.

2.6.3 RISK ANALYSIS METHODS

• Risk analysis is defined as a process by which frequency and magnitude of

IT risk scenarios are estimated.
• Three methods may be employed during risk analysis:
• Qualitative analysis methods — Descriptive rankings are used to
describe risk likelihood and impact.
• Semi-quantitative analysis methods — Descriptive rankings are
associated with numeric values.
• Quantitative analysis methods — Numeric values, for example, in the
form of financial costs, are used to describe risk likelihood and
impact.
• Each of the three methods offers a perspective on risk, but it is important
to acknowledge the assumptions incorporated into each risk analysis.
2.7 MATURITY MODELS

• Maintaining consistency, efficiency and effectiveness of IT

processes requires the implementation of a process maturity
framework.
• Several different models may be encountered in organizations,
including:
• IDEAL model — designed to guide the planning and
implementation of effective software improvement
• CMMI — provides the essential elements of effective
processes; used as a guide to process improvement across a
project, division or organization
2.7 MATURITY MODELS (Contd.)

 Framework can be based on various model

 IDEAL Model [Initiating, diagnosis, establishing, Acting & Learning]
 It is a software process improvement (SPI) model
 Developed by Software Engineering Institute [SEI]
 Consists of 5 phase
 Initiating,
 diagnosis,
 establishing,
 Acting &
 Learning
 CMMI [Capability Maturity Model Integration ]
 CMMI is a process improvement approach that provides enterprise with
the essential element of effective process
 CMMI helps to
 Integrate traditional separate organizational functional
 Set process improvement goals and priorities
 Provide guidance for quality processes
 A point of reference for appraise current process
2.7 MATURITY MODELS (Cont.)
figure 2.8 for characteristics of the maturity levels.
 2.8 LAWS, REGULATIONS AND INDUSTRY STANDARDS
AFFECTING THE ORGANIZATION

• The complex nature of IT and global connectivity have introduced

various types of risk within the organization’s information life cycle—
from receipt, processing, storage, transmission/distribution through
destruction. In order to protect stakeholder interests, various legal
and regulatory requirements have been enacted. The major
compliance requirements that are considered globally recognized
include protection of privacy and confidentiality of personal data,
intellectual property rights and reliability of financial information.
• In addition, there are some compliance requirements that are
industry specific.
• For the CISA exam, the IS auditor must be aware of these globally
recognized concepts; however, knowledge of specific legislation
and regulations will not be tested.
 2.8.1 GOVERNANCE, RISK AND COMPLIANCE

• Governance, risk management and compliance (GRC) form an

example of the growing recognition of the necessity for convergence,
or assurance process integration. GRC is a term that reflects an
approach that organizations can adopt to integrate these three
areas.
• Organizations may weigh the option of compliance to a legal or
regulatory requirement and decide to accept the risk and penalties
associated with noncompliance.
 2.8.2 IMPACT OF LAWS, REGULATIONS AND INDUSTRY
STANDARDS ON IS AUDIT

• The enterprise may be subject to audits related to specific applicable laws,

regulations and industry standards. Examples of laws that may require audit include:
• United States laws:
– Financial Services Modernization Act of 1999, better known as the
• Gramm-Leach-Bliley Act (GLBA)
– Family Educational Rights and Privacy Act (FERPA)
– Children’s Online Privacy Protection Act (COPPA)
– Children’s Internet Protection Act (CIPA)
– Health Insurance Portability and Accountability Act (HIPAA) – The
• Federal Information Security Management Act of 2002 (FISMA)
• Canada’s Personal Information Protection and Electronic Documents Act
• (PIPEDA)
• South Korea’s Personal Information Protection Act (PIPA)
• South Africa’s Protection of Personal Information (POPI) Act
• The UK Ministry of Defence’s (MOD) DEFCON 658
• The European Union’s GDPR
PART B: IT MANAGEMENT

• IT management consists of overseeing the concepts related

to IT operations and resources. As previously noted,
management plans, builds, runs and monitors activities in
alignment with the direction set by the governance body to
achieve enterprise objectives. IT management ensures that
IT continues to support enterprise objectives.
2.9 IT RESOURCE MANAGEMENT

• Each enterprise faces the challenge of using its limited

resources, including people and money, to achieve its goals
and objectives. When an organization invests its resources
in a given effort, it incurs opportunity costs because it is
unable to pursue other efforts that could bring value to the
enterprise.
• An IS auditor should understand an organization’s
investment and allocation practices to determine whether
the enterprise is positioned to achieve the greatest value
from the investment of its resources.
2.9.1 VALUE OF IT

• IT’s value is determined by the relation between

what the organization will pay and what it will
received

• The larger the benefit in relation to cost, the

greater the value of IT project
2.9.2 IMPLEMENTING IT PORTFOLIO
MANAGEMENT (Key Terms)
Key Term Definition
IT portfolio A grouping of "objects of interest" (investment programs,
IT services, IT projects, other IT assets or resources)
managed and monitored to optimize business value. (The
investment portfolio is of primary interest to Val IT. IT
service, project, asset and other resource portfolios are
of primary interest to COBIT.)
IT Portfolio Management

• IT portfolio management is distinct from IT financial

management.
• It has a strategic goal in determining IT direction toward:
• What the enterprise will begin to invest in
• What the enterprise will continue to invest in
• What the enterprise will divest
• Key governance practices in IT portfolio management include
the evaluation, direction and monitoring of value
optimization.
IT Portfolio Management (cont’d)

• The most significant advantage of IT portfolio management is

agility in adjusting investments based on built-in feedback
mechanisms.
• Implementation methods include:
• Risk profile analysis
• Diversification of projects, infrastructure and
technologies
• Continuous alignment with business goals
• Continuous improvement
2.9.4 HUMAN RESOURCE MANAGEMENT

Recruiting Selecting Training

Measuring
Promoting Discipline
performance

Staff Mandatory Succession

retention leave planning

102 © Copyright 2016 ISACA. All rights reserved.

2.9.5 ORGANIZATIONAL CHANGE
MANAGEMENT
• Organizational change management uses a defined and
documented process to identify and apply technology
improvements at both the infrastructure and application
levels.
• The IT department is the focal point for such changes and
leads or facilitates the changes with senior management
support.
• Communication is an important component of change
management, and end-users must be informed of the impact
and benefits of changes.
2.10 IT SERVICE PROVIDER ACQUISITION AND MANAGEMENT
Sourcing Practices

• Sourcing practices relate to the way in which the enterprise

obtains the IT functions required to support the business.
• These functions may be performed:
• By the organization’s staff in-house, or “insourced”
• By staff of a vendor, or “outsourced”
• By a mix of both insourced and outsourced methods
2.10 IT SERVICE PROVIDER ACQUISITION AND MANAGEMENT
Sourcing Practices (cont’d)

• The functions may be performed across the globe in a variety

of arrangements, including:
• Onsite — Staff works onsite in the IT department.
• Offsite — Staff works at a remote location in the same
geographical region.
• Offshore — Staff works at a remote location in a different
geographical region.
2.11.1 IT PERFORMANCE
MONITORING AND REPORTING
• Performance optimization is the process of improving both
perceived service performance while bringing IS productivity
to the highest level possible.
• Ideally, this productivity will be gained without excessive
additional investment in the IT infrastructure.
• Effective performance measures are used to create and
facilitate action to improve both performance and GEIT.
• These depend upon:
• The clear definition of performance goals
• The establishment of effective metrics to monitor goal
achievement
2.11.2 Tools and Techniques

• Several tools and techniques can be employed to facilitate

performance measurement, ensure good communication and
support organizational change.
• These include:
• Six Sigma
• IT BSC
• KPIs
• Benchmarking
• Business process reengineering (BPR)
• Root cause analysis
• Life cycle cost-benefit analysis
2.11.2 Tools and Techniques (cont’d)
• A quantitative process analysis, defect reduction and
Six Sigma improvement approach

• A process management evaluation technique that can be

IT BSC effectively applied to assess IT functions and processes

• A measure that determines how well a process is performing in

KPI enabling a goal to be reached

• A systematic approach to comparing enterprise performance

Benchmarking against competitors to learn methods

• The thorough analysis and redesign of business processes to

BPR establish a better performing structure with cost savings

• The process of diagnosis to establish the origins of events so that

Root Cause Analysis controls can be developed to address these causes

• Assessment of life cycle, life cycle cost and benefit analysis to

Life Cycle Cost-benefit determine strategic direction for IT systems
 2.12 QUALITY ASSURANCE AND QUALITY
MANAGEMENT OF IT

• The QA program and respective policies, procedures and processes

are encompassed within a planned and systematic pattern of all
actions necessary to provide adequate confidence that an item or
product conforms to established technical requirements.

• The IS auditor needs to understand the QA and quality

management concepts, structures, and roles and responsibilities
within the organization.
 2.12 QUALITY ASSURANCE AND QUALITY
MANAGEMENT OF IT

• 2.12.1 QUALITY ASSURANCE

 2.12.2 QUALITY MANAGEMENT

• Quality management is one of the means by which IT

department-based processes are controlled, measured and
improved.
Areas of control for quality management may include:
• Software development, maintenance and implementation
• Acquisition of hardware and software
• Day-to-day operations
• Service management
• Security
• HR management
• General administration
Domain 2 Summary

 Evaluation of the IT strategy life cycle

 Evaluation of the effectiveness of the IT governance
structure
 Evaluation of the IT organizational structure and human
resources (personnel) management
 Evaluation of the organization’s IT policies, standards and
procedures life cycle
 Evaluation of IT resource management
Domain 2 Summary (cont’d)

 Evaluation of IT portfolio management

 Evaluation of risk management practices
 Evaluation of IT management and monitoring of controls
 Evaluation of monitoring and reporting of IT KPIs