1 / 63

CISA REVIEW

CISA REVIEW. The material provided in this slide show came directly from Certified Information Systems Auditor (CISA) Review Material 2010 by ISACA. CISA REVIEW Chapter 2 – Governance Learning Objectives.

kiele
Download Presentation

CISA REVIEW

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CISA REVIEW The material provided in this slide show came directly from Certified Information Systems Auditor (CISA) Review Material 2010 by ISACA.

  2. CISA REVIEWChapter 2 – Governance Learning Objectives • Evaluate the effectiveness of IT governance structure to ensure adequate board control over the decisions, directions and performance of IT, so it supports the organization's strategies and objectives • Evaluate IT organizational structure and human resources (personnel) management to ensure that they support the organization's strategies and objectives • Evaluate the IT strategy and process for their development, approval, implementation and maintenance to ensure that they support the organization's strategies and objectives • Evaluate the organization's IT policies, standards, procedures and processes for their development, approval, implementation and maintenance to ensure that they support the IT strategy and comply with regulatory and legal requirements • Evaluate management practices to ensure compliance with the organization's IT strategy, policies, standards and procedures • Evaluate IT resource investment, use and allocation practices to ensure alignment with the organization's strategies and objectives • Evaluate risk management practices to ensure that the organization's IT-related risks are properly managed • Evaluate monitoring and assurance practices to ensure that the board and executive management receive sufficient and timely information about IT performance

  3. CISA REVIEWChapter 2 – Governance • IT governance is used to ensure that an organization's IT objectives are in alignment with its enterprise objectives. To ensure successful implementation of IT governance, an IS auditor needs to make certain that the organization's IS strategies are in alignment with the organization's business strategies. The IS auditor must also ensure that IS strategies comply with all local, regional and federal laws and regulations. • Other critical elements of an IS auditor's role in IT governance is to ensure that IS policies exist and adequately reflect the approved IS strategies, and that IS standards and procedures effectively enforce and communicate IS policies.

  4. CISA REVIEWChapter 2 – Governance • IT governance implies a system in which all stakeholders, including the board, internal customers and related areas such as finance, have the necessary input into the decision making process. This prevents a single stakeholder, typically IT, being blamed for poor decisions. It also prevents users from later complaining that the system does not behave or perform as expected. • The best way to implement IT governance so it has the most positive impact is to have collaborative senior management sponsorship between the business and IT operations. Lower management levels may have some success but when governance is departmental only, problems arise with projects that transcend departments that are not consistently managed using the same guidance.

  5. CISA REVIEWChapter 2 – Governance IT governance encompasses: • Information systems • Technology and communication • Business, legal and other issues such as regulatory compliance and security • All concerned stakeholders, directors, senior management, process owners, IT suppliers, users and auditors

  6. CISA REVIEWChapter 2 – Governance Chief executive officers (CEOs), chief financial officers (CFOs) and chief information officers (CIOs) agree that the strategic alignment between IT and enterprise objectives is a critical success factor for an organization.

  7. CISA REVIEWChapter 2 – Process Improvement IT governance is concerned that IT delivers value to the business and that IT risks are managed. The first is driven by strategic alignment of IT with the business. The second is driven by embedding accountability into the enterprise, which cannot be accomplished without effective measuring and reporting.

  8. CISA REVIEWChapter 2 – Governance An IS auditor should assess the following organizational IT governance elements: • Alignment of the IT function with the organization's mission, vision, values, objectives and strategies • Achievement of IT function performance objectives established by the business (effectiveness and efficiency) including the measures used to determine success • Legal, environmental, information quality, and fiduciary and security requirements • The control environment of the organization • The inherent risks within the IT environment • The organization's documentation and contractual commitments

  9. CISA REVIEWChapter 2 – IT Strategy Committee As an industry best practice, all organizations should create an IT strategy committee. To incorporate IT governance into enterprise governance, a successful IT strategy committee must assist the board by: • Providing advice on strategy, IT value, risks and performance • Overseeing the enterprise's IT-related matters by ensuring that the board has the internal and external information it requires for effective IT governance decision-making

  10. CISA REVIEWChapter 2 – IT Steering Committee In addition to the IT strategy committee, an organization's senior management should appoint an IT planning or steering committee. The responsibilities and duties of this committee should be defined in a formal charter and include overseeing the IT function and its activities, and ensuring that the IT department is in agreement with the organization's mission and objectives.

  11. CISA REVIEWChapter 2 – IT Steering Committee The primary functions of the IT steering committee include the following: • Review the long- and short-range plans of the IT department to ensure that they are in accordance with the organization's objectives. • Review and approve major acquisitions of hardware and software within the limits approved by the board of directors. • Approve and monitor major projects and the status of IT plans and budgets; establish priorities; approve standards and procedures; and monitor overall IT performance. • Review and approve sourcing strategies for select, or all, IT activities, including insourcing or outsourcing, and the globalization or offshoring of functions. • Review adequacy of resources and allocation of resources in terms of time, personnel and equipment. • Make decisions regarding centralization vs. decentralization and assignment of responsibility. • Support development and implementation of an enterprisewide information security management program. • Report to the board of directors on IT activities.

  12. CISA REVIEWChapter 2 – IT Steering Committee In order to effectively coordinate and monitor an organization's IT resources and IT steering committee must: • Receive the appropriate management information from IT departments, user departments and audits • Monitor performance and institute appropriate action to achieve desired results • Meet regularly and report to senior management • Maintain formal minutes to document the committee's activities and decisions • Serve as a general review board for major IT projects and avoid becoming involved in routine operations

  13. CISA REVIEWChapter 2 – Strategic Planning An important element of strategic planning is to make sure that business and IT management work together toward a common goal. To do this: • IT management needs to have a better understanding of business issues and business unit management should also have a solid understanding of the reality of IT constraints. • All parties involved should have the ability to understand and relate strategic plans between business needs and IT. Strategic plans should address how IT resources will add-value to the business. IT resources add-value by mitigating risk and delivering and protecting information and allocating resources accordingly.

  14. CISA REVIEWChapter 2 – Strategic Planning Instructions: Match each IT governance outcome to its corresponding description. Outcomes Strategic alignmentRisk managementValue deliveryResource managementPerformance measurement Descriptions Measures, monitors and reports on information security processes to ensure objectives are achieved Aligns information security with business strategy to support organizational objectives Optimizes security investments in support of business objectives Utilizes information security knowledge and infrastructure efficiently and effectively Manages and executes appropriate measures to mitigate risks and reduce potential impacts on information resources to an acceptable level

  15. CISA REVIEWChapter 2 – Strategic Planning Answers: Each term is followed by the appropriate description. • Strategic alignmentAligns information security with business strategy to support organizational objectives • Risk managementManages and executes appropriate measures to mitigate risks and reduce potential impacts on information resources to an acceptable level • Value deliveryOptimizes security investments in support of business objectives • Resource managementUtilizes information security knowledge and infrastructure efficiently and effectively • Performance measurementMeasures, monitors and reports on information security processes to ensure objectives are achieved

  16. CISA REVIEWChapter 2 – Policies and Procedures IT governance also includes overseeing the policies and procedures developed to guide and control information systems and related resources.

  17. CISA REVIEWChapter 2 – Information Security Policy Information security policies should guide the organization by defining what needs to be protected, responsibilities for protection, and the strategy that will be followed for protection. Information security policies should be developed in accordance with business requirements, and relevant laws and regulations. An organization's management should demonstrate support for and commitment to information security by issuing and maintaining information security policies that contain a clear direction.

  18. CISA REVIEWChapter 2 – Information Security Policy An organization's information security policy should be approved by management and: • Define the overall objective and scope of the organization's information security • Align the goals and principles of information security with the business strategy and objectives • Set the framework for risk assessment and risk management

  19. CISA REVIEWChapter 2 – Information Security Policy After an information security policy is approved by management, it should be published and communicated. The communication of this policy must be: • Communicated to all users in the organization, including internal and external workers, third parties and outsourcers • Provided in a form that is accessible and understandable to the intended reader

  20. CISA REVIEWChapter 2 – Information Security Management Information security management involves leading and facilitating the implementation of an organization wide IT security program to assure that the organization's information and the information-processing resources under its control are properly protected. This includes but is not limited to: • Developing business continuity and disaster recovery plans (BCP and DRP) related to IT department functions in support of the organization's critical business processes • Applying risk management principles to assess the risks to IT assets • Mitigate risks to an appropriate level as determined by management • Monitor the remaining residual risks

  21. CISA REVIEWChapter 2 – Information Security Management Instructions: Here are three items and descriptions. Match each item to its corresponding description. Items Information access policySourcing practicesInformation security management practices Descriptions Leading and facilitating the implementation of an organizationwide IT security program Grants access to only those resources at or below a specific level of sensitivity Asks "can this function be performed by another party or in another location for the same or lower price, with the same or higher quality, and without increasing risk?"

  22. CISA REVIEWChapter 2 – Information Security Management Answers: Each term is followed by the appropriate description. Information access policyGrants access to only those resources at or below a specific level of sensitivity Sourcing practicesAsks "can this function be performed by another party or in another location for the same or lower price, with the same or higher quality, and without increasing risk?" Information security management practicesLeading and facilitating the implementation of an organization wide IT security program

  23. CISA REVIEWChapter 2 – Information Security Management Real-World Example An organization is using human resources (HR) management software that it had developed by a vendor several years ago. The software maintains confidential information typically kept in personnel files, such as salary levels and management reviews. On performing a review, the IS auditor found that there were no written policies or guidelines indicating the type of authentication necessary for accessing the information in the software and that the organization typically used a four-character password for all items requiring access controls. Think About It: What is the risk associated with this situation?

  24. CISA REVIEWChapter 2 – Information Security Management Answer: The lack of sufficient access controls poses a serious risk to an organization's information integrity. Think About It: What do you, as an IS audit expert, think could have been done proactively to prevent this organization from being in this situation?

  25. CISA REVIEWChapter 2 – Information Security Management Answer: To prevent a situation like this from occurring, an organization should have proper access control policies, process, and strategies in place. This would involve performing regularly scheduled reviews and/or audits on all information assets requiring security and updating the organization's information security directive as appropriate. Additional proactive controls could also include addenda and reviews to the vendor contract with specific security requirements and requiring complexity-enabled password requirements.

  26. CISA REVIEWChapter 2 – Information Access Typical information security policies addressing information access include the following: • Individuals are granted access to only those resources at or below a specific level of sensitivity. • Labels are used to indicate the sensitivity level of electronically stored documents. • Policy-based controls may be characterized as either mandatory or discretionary. • Controls should not disrupt the usual work flow more than necessary or place too much burden on administrators, auditors or authorized users. • Access controls must adequately protect all the organization's resources.

  27. CISA REVIEWChapter 2 – Segregation of Duties • The purpose of segregating duties is to aid an organization in reducing some of its business risks through the identification of compensating controls. • For example, when duties are segregated, access to the computer, the production data library, the production programs, the programming documentation, and the operating system and associated utilities can be limited, and potential damage from the actions of any one person is, therefore, reduced.

  28. CISA REVIEWChapter 2 – Segregation of Duties Several control mechanisms can be used to enforce segregation of duties. Examples of these controls are: • Transaction authorization • Assets/data ownership • Access to data Proper segregation prevents misappropriation of assets, misstated financial statements, inaccurate financial documentation (i.e., errors or irregularities), and improper use of funds or not detecting data modifications.

  29. CISA REVIEWChapter 2 – Segregation of Duties Transaction authorization is the responsibility of the data owner. Authorization is delegated to the degree that it relates to the particular level of responsibility of the authorized individual in the department. Periodic checks must be performed by management and audit to determine that adequate authorization policies and procedures exist and are implemented.

  30. CISA REVIEWChapter 2 – Segregation of Duties Ownership of assets/data must be determined and assigned appropriately. The data owner usually is assigned to a particular user department, and his/her duties should be specific and in writing. The owner of the data has responsibility for determining authorization levels required to limit the exposure of data being accessed by people without a justification to see, modify or use it.

  31. CISA REVIEWChapter 2 – Segregation of Duties Controls over access to data are provided by a combination of physical, system, and application security and personnel controls in the user area and the information process facility.

  32. CISA REVIEWChapter 2 – Segregation of Duties Information technology and end-user departments should be organized so any single individual does not have too much control or responsibility over critical functions. With segregation of duties, the misuse of data or fraud can be detected in a timely manner and in the normal course of business processes.

  33. Segregation of Duties Exercise

  34. Segregation of Duties Exercise - Answer

  35. CISA REVIEWChapter 2 – Compensating Controls Of course there will be situations were weaknesses exist with segregation of duties (e.g. smaller organizations with fewer staff). In these situations, compensating controls can be used. Compensating controls include: • Audit trails • Reconciliation • Exception reporting • Transaction logs • Supervisor reviews • Independent reviews

  36. CISA REVIEWChapter 2 – Compensating Controls Audit trails are an essential component of all well-designed systems. Audit trails enable the user departments and IS auditor to re-create the actual transaction flow from the point of origination to its existence on an updated file. In the absence of adequate segregation of duties, good audit trails may be an acceptable compensating control. The IS auditor should be able to determine who initiated the transaction, the time of day and date of entry, the type of entry, what fields of information it contained, and what files it updated.

  37. CISA REVIEWChapter 2 – Compensating Controls Audit trails are an essential component of all well-designed systems. Audit trails enable the user departments and IS auditor to re-create the actual transaction flow from the point of origination to its existence on an updated file. In the absence of adequate segregation of duties, good audit trails may be an acceptable compensating control. The IS auditor should be able to determine who initiated the transaction, the time of day and date of entry, the type of entry, what fields of information it contained, and what files it updated.

  38. CISA REVIEWChapter 2 – Compensating Controls Reconciliation is ultimately the responsibility of the user department. In some organizations, limited reconciliation of applications may be performed by the data control group with the use of control totals and balancing sheets. This type of independent verification increases the level of confidence that the application processed successfully and the data are in proper balance.

  39. CISA REVIEWChapter 2 – Compensating Controls Exception reporting should be handled at the supervisory level and should require evidence, such as initials on a report, noting that the exception has been handled properly. Management should also ensure that exceptions are resolved in a timely manner.

  40. CISA REVIEWChapter 2 – Compensating Controls A transaction log may be manual or automated. An example of a manual log is a record of transactions (grouped or batched) before they are submitted for processing. An automated transaction log or journal provides a record of all transactions processed, and it is maintained by the computer system.

  41. CISA REVIEWChapter 2 – Compensating Controls Supervisory reviews may be performed through observation and inquiry or remotely.

  42. CISA REVIEWChapter 2 – Compensating Controls Independent reviews are carried out to compensate for mistakes or intentional failures in following prescribed procedures. These are particularly important when duties in a small organization cannot be appropriately segregated. Such reviews will help detect errors or irregularities.

  43. CISA REVIEWChapter 2 – Compensating Controls Instructions: Here are two categories and nine descriptions. Determine the appropriate category for each item. Categories Compensating controlsSegregated Duties Items Audit trails Authorization Custody of the assets Exception reporting Independent reviews Reconciliation Recording transactions Supervisor reviews Transaction logs

  44. CISA REVIEWChapter 2 – Compensating Controls Answers Each category is followed by the appropriate items. Compensating Controls:Audit trails Reconciliation Exception reporting Transaction logs Supervisor reviews Independent reviews Segregated Duties:Custody of the assets Authorization Recording transactions

  45. CISA REVIEWChapter 2 – Risk Management • Effective IT governance will enable an organization to manage and execute appropriate measures to mitigate risks and reduce potential impacts on information resources to an acceptable level. • To achieve this level of risk management, an organization must maintain: • A collective understanding of the organizations threat, vulnerability and risk profile consistent with the management's risk philosophy and position • An understanding of risk exposure and potential consequences of compromise including the regulatory, legal, operational and brand impacts • An awareness of risk management priorities based on potential consequences • Risk mitigation sufficient to achieve acceptable consequences from residual risk • Risk acceptance/deference based on an understanding of the potential consequences of residual risk

  46. CISA REVIEWChapter 2 – Risk Management • Risk management is the process an organization must go through to: • Identify any vulnerabilities and threats to its information resources • Decide on the countermeasures to take which may reduce any risk to an acceptable level • An organization must define its risk appetite and its identified risk exposure before it can develop effective risk management strategies or determine what roles and responsibilities are necessary.

  47. CISA REVIEWChapter 2 – Risk Management • When an organization finds risk, depending on the type of risk and its significance to the business, management and the board have five options: • Avoid the risk • Mitigate the risk • Transfer the risk • Accept the risk • Eliminate the risk

  48. CISA REVIEWChapter 2 – Risk Management • Once risks have been identified, an organization must evaluate existing controls or develop new controls to reduce the vulnerabilities to an acceptable level of risk. • The strength of a control can be measured in terms of its inherent or design strength and the likelihood of its effectiveness. Elements of controls that should be considered when evaluating control strength include whether the controls are: • Preventive or detective • Manual or programmed • Formal or ad hoc

  49. CISA REVIEWChapter 2 – Risk Management Once controls have been applied, any remaining risk is called residual risk. Residual risks can be used by management to identify those areas where they can reduce risk even further or where more control is required.

  50. CISA REVIEWChapter 2 – Risk Management Real World Example A small, growing bank was cited for noncompliance by a regulatory agency because its information security program did not have an independent review. It seems that although a review was performed, it was conducted by an operations officer because he had network administrative access and was the only individual with the expertise to complete the review. Think About It: Where is the lapse in effective IT governance in this situation?

More Related