Domain 2

Domain 2

• Governance and management of IT is an integral part

of enterprise governance. Effective governance and
management of IT consists of the leadership and
organizational structures and processes that ensure
that the enterprise’s IT sustains and extends the
enterprise’s strategy and objectives.

• Knowledge of IT governance is fundamental to the

work of the IS auditor, and it forms the foundation for
the development of sound control practices and
mechanisms for management oversight and review.
 On the CISA Exam

Domain 1: Auditing Information

Domain 5: Protection of Systems Process, 21%
Information Assets, 27%

Domain 2: Governance and

Management of IT, 17%
Domain 4: Information
Systems Operations and
Business Resilience, 23%

Domain 3: Information Systems

Acquisition, Development and
Implementation, 12%
 Learning Objectives

By the end of this lesson, you will be able to:

Evaluate the IT strategy for alignment with the organization’s

strategies and objectives
Evaluate the effectiveness of IT governance structure and IT
organizational structure

Evaluate the organization’s management of IT policies and

practices
Evaluate the organization’s IT policies and practices for
compliance with regulatory and legal requirements
Evaluate IT resource and portfolio management for
alignment with the organization’s strategies and objectives

Evaluate the organization’s risk management policies and

practices
Evaluate IT management and monitoring of controls
 Learning Objectives

By the end of this lesson, you will be able to:

Evaluate the monitoring and reporting of IT key performance

indicators (KPIs)
Evaluate whether IT supplier selection and contract
management processes align with business requirements

Evaluate whether IT service management practices align with

business requirements
Conduct periodic review of information systems and
enterprise architecture. Evaluate data governance policies
and practices
Evaluate the information security program to determine its
effectiveness and alignment with the organization’s strategies
and objectives

Evaluate potential opportunities and threats associated with

emerging technologies, regulations, and industry practices
 Domain 2 Topics

• IT Governance • IT Management
• IT Governance and IT Strategy • IT Resource Management
• IT-Related Frameworks • IT Service Provider Acquisition and
• IT Standards, Policies, and Procedures Management

• Organizational Structure • IT Performance Monitoring and Reporting

• Enterprise Architecture • Quality Assurance and Quality

• Enterprise Risk Management Management of IT

• Maturity Models

• Laws, Regulations, and Industry Standards

Affecting the Organization

6
 IT Governance and IT Strategy

Enterprise Governance

Corporate Governance Business Governance

(i.e., conformance) (i.e., performance)

Value Creation
Accountability Assurance
Resource Utilization

7
 Enterprise Governance of Information and Technology (EGIT)

• The purpose of EGIT is to direct IT endeavors to ensure that IT aligns with and supports the
enterprise’s objectives and its realization of promised benefits.

• Additionally, IT should enable the enterprise by exploiting opportunities and maximizing benefits. IT
resources should be used responsibly, and IT-related risk should be managed appropriately.
 Outcomes of Effective information Security Governance

IT resource management

• Focuses on maintaining an updated inventory of all IT resources and addresses the

risk management process

Performance measurement

• Focuses on ensuring that all IT resources perform as expected to deliver value to

the business and identify risk early on. This process is based on performance
indicators that are optimized for value delivery and from which any deviation might
lead to risk.

Compliance management

• Focuses on implementing processes that address legal and regulatory policy and
contractual compliance requirements
 EGIT Good Practices

1. Business managers and boards demanding a better return from IT investments.

2. Concern over the generally increasing level of IT expenditure

3. The need to meet regulatory requirements for IT controls in areas such as privacy and financial
reporting and in specific sectors such as finance, pharmaceuticals and health care

4. The selection of service providers and the management of service outsourcing and acquisition

5. IT governance initiatives that include adoption of control frameworks and good practices to help
monitor and improve critical IT activities to increase business value and reduce business risk

6. The need to optimize costs by following, where possible, standardized rather than specially
developed approaches

7. The growing maturity and consequent acceptance of well-regarded frameworks

8. The need for enterprises to assess how they are performing against generally accepted standards
and their peers
 The Role of Audit in EGIT

• Audit plays a significant role in the

implementation of EGIT.

• It offers these benefits:

• Provides leading practice recommendations

to senior management

• Helps ensure compliance with EGIT initiatives

• Provides independent and balanced view to
facilitate quantitative improvement of IT
processes
 Areas of EGIT Audit

• In accordance with the define role of the IS auditor, the following aspects of EGIT must be assessed:

• Alignment of enterprise governance and EGIT

• Alignment of the IT function with the organizational mission, vision, values, objectives and strategies
• Achievement of performance objectives
• Compliance with legal, environmental, fiduciary, security and privacy requirements
• The control environment of the organization, the inherent risk present, and IT investment and expenditure
 Information Security Governance

• An information security governance framework generally

consists of:

• A comprehensive security strategy intrinsically linked with

business objectives

• Governing security policies that address each aspect of

strategy, controls and regulation

• A complete set of standards for each policy to ensure that

procedures and guidelines comply with policy

• An effective security organizational structure void of

conflicts of interest

• Institutionalized monitoring processes to ensure

compliance and provide feedback on effectiveness

13
 Effective Information Security Governance

• Maintain high quality information to support business

decisions

• Generate business value from IT-enabled investments

• Achieve operational excellence through the reliable and
efficient application of technology

• Maintain IT-related risk at an acceptable level

• Optimize the cost of IT services and technology
• Comply with ever-increasing relevant laws, regulations,
contractual agreements and policies

14
 Outcomes of Effective Information Security Governance

Performance Measurement Resource Management Process Integration

15
 Strategic Planning

Identify cost- Determine Assess IT capabilities Synchronize strategic

effective IT solutions requirements for plans with business
information systems plans

16
 Business Intelligence

• Typical areas of measurement include:

• Process cost, efficiency and quality

• Customer satisfaction with product and service offerings
• Customer profitability, including determination of which attributes are
useful predictors of customer profitability

• Staff and business unit achievement of key performance indicators

• Risk management
• Business intelligence (BI) is a broad field of IT that encompasses the
collection and analysis of information to assist decision making and assess
organizational performance.

17
BI Data flow Architecture

18
 Activity

• In order to maximize the corporate focus on core operations, the CIO is looking to move several
key enterprise application suites to the cloud. These application suites support operations that
cross international boundaries and contain personally identifiable information and intellectual
property.

• When looking at how the corporation addresses confidentiality of data being stored by the cloud
services provider, what are some important governance areas to be considered?
Knowledge
Check An IS auditor is evaluating the IT governance framework of an organization. Which of
1 the following would be the GREATEST concern?

A. Senior management has limited involvement

B. Return on investment (ROI) is not measured

C. Chargeback of IT cost is not consistent

D. Risk appetite is not quantified

 Knowledge
Check An IS auditor is evaluating the IT governance framework of an organization. Which of the
1 following would be the GREATEST concern?

A. Senior management has limited involvement

B. Return on investment (ROI) is not measured

C. Chargeback of IT cost is not consistent

D. Risk appetite is not quantified

The correct answer is A

To ensure that the IT governance framework is effectively in place, senior management must be involved and aware
of roles and responsibilities. Therefore, it is most essential to ensure the involvement of senior management when
evaluating the soundness of IT governance.
Knowledge
Check
Which of the following IT governance good practices improves strategic alignment?
2

A. Supplier and partner risk is managed

B. A knowledge base on customers, products, markets and processes is in place

C. A structure is provided that facilitates the creation and sharing of business information

D. Top management mediates between the imperatives of business and technology

 Knowledge
Check
Which of the following IT governance good practices improves strategic alignment?
2

A. Supplier and partner risk is managed

B. A knowledge base on customers, products, markets and processes is in place

C. A structure is provided that facilitates the creation and sharing of business information

D. Top management mediates between the imperatives of business and technology

The correct answer is D

Top management mediating between the imperatives of business and technology is an IT strategic alignment good
practice.
IT-related Frameworks

24
 EGIT Frameworks

• Several frameworks provide standards for EGIT, including:

• COBIT
• International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC)
27000

• Information Technology Infrastructure Library (ITIL®)

• Open Information Security Management Maturity Model (O-ISM3)
• ISO/IEC 38500:2015: Information technology—Governance of IT for the organization
• ISO/IEC 20000
• ISO 3100:2018: Risk management—Guidelines
• The key to maximizing value is to consider EGIT synergistically in the overall enterprise governance
hierarchy.
IT Standards, Policies and Procedures

26
 Standards

• A standard is a mandatory requirement, code of practice or

specification approved by a recognized external standards
organization.

• Professional standards refer to standards issued by

professional organizations, such as ISACA, and related
guidelines and techniques that assist the professional in
implementing and complying with other standards.
 Policies

• Policies are the high-level statements of management intent, expectations

and direction.

• Well-developed high-level policies in a mature organization can remain static

for extended periods.

• Management should review all policies periodically.

• IS auditors should understand that policies are a part of the audit scope and
test the policies for compliance.

• IS controls should flow from the enterprise’s policies and IS auditors should
use policies as a benchmark for evaluating compliance.
 Information Security Policy

• A security policy for information and related technology is a first step toward building the security
infrastructure for technology-driven organizations.

• It communicates a coherent security standard to users, management and technical staff.

• This policy should be used by IS auditors as a reference framework for performing audit
assignments.

• The adequacy and appropriateness of the policy is also an area of review during an IS audit.
 Policy Components

• The information security policy may comprise a set of policies, generally addressing the following
concerns:

• High-level information security policy — Includes statements on confidentiality, integrity and

availability

• Data classification policy — Provides classifications and levels of control at each classification
• End-user computing policy — Identifies the parameters and usage of desktop, mobile and other
tools

• Access control policy — Describes methods for defining and granting access to users of various
IT resources

• Acceptable use policy (AUP) — Controls the use of information system resources through
defining how IT resources may be used by employees
 Procedures

• The documented, defined steps in procedures aid in achieving policy objectives.

• Procedures documenting business and aligned IT processes and their embedded

controls are formulated by process owners.

• To be effective, procedures must:

• Be frequently reviewed and updated

• Be communicated to those affected by them

• An IS auditor examines procedures to identify and evaluate controls to ensure that

control objectives are met.
 Guidelines

• Guidelines for executing procedures are also the responsibility of operations.

• Guidelines should contain information that will be helpful in executing the procedures. Including
clarification of:

• Policies and standards

• Dependencies
• Suggestions and examples
• Narrative clarifying the procedures
• Background information that may be useful
• And tools that can be used

32
 Activity

• In evaluating IT strategy, would policies or procedures be

more helpful in ensuring ongoing alignment of IT strategy
with the organization's specific objectives and business
initiatives?
Knowledge When auditing the IT governance framework and IT risk management practices that exist
Check within an organization, the IS auditor identified some undefined responsibilities regarding IT
management and governance roles. Which of the following recommendations is the MOST
1
appropriate?

A. Review the strategic alignment of IT with the business

B. Recommend accountability rules within the organization

C. Ensure that independent IS audits are conducted periodically

D. Create a chief risk officer (CRO) role in the organization

 Knowledge When auditing the IT governance framework and IT risk management practices that exist
Check within an organization, the IS auditor identified some undefined responsibilities regarding IT
management and governance roles. Which of the following recommendations is the MOST
1
appropriate?

A. Review the strategic alignment of IT with the business

B. Recommend accountability rules within the organization

C. Ensure that independent IS audits are conducted periodically

D. Create a chief risk officer (CRO) role in the organization

The correct answer is B

IT risk is managed by embedding accountability into the enterprise. The IS auditor should recommend the
implementation of accountability rules to ensure that all responsibilities are defined within the organization. Note
that this question asks for the best recommendation—not about the finding itself.
Knowledge
Check When auditing the onsite archiving process of emails, the IS auditor should pay the
2 MOST attention to:

A. The existence of a data retention policy

B. The storage capacity of the archiving solution

C. The level of user awareness concerning email use

D. The support and stability of the archiving solution manufacturer

 Knowledge
Check When auditing the onsite archiving process of emails, the IS auditor should pay the
2 MOST attention to:

A. The existence of a data retention policy

B. The storage capacity of the archiving solution

C. The level of user awareness concerning email use

D. The support and stability of the archiving solution manufacturer

The correct answer is A

Without a data retention policy that is aligned to the company’s business and compliance requirements, the email
archive may not preserve and reproduce the correct information when required.
Organizational Structure

38
 Organizational Structure

• Organizational structure is a key component to governance. They provide the key decision-
making entities in an enterprise. The following section provides guidance for organizational
structures and roles and responsibilities within EGIT.

• Keep in mind that the actual structure may differ depending on the size, industry and
location of an enterprise.

39
 IT Governing Committees

• Organizations often have executive-level strategy and steering committees to handle

organization-wide IT issues.

• The IS auditor should know the responsibilities of, authority possessed by and
membership of such committees.
 IT Committee Analysis

Level IT Strategy Committee IT Steering Committee

Responsibility Provides insight and advice Decides the level and allocation
to the board across a range of IT spending, aligns and
of IT topics approves the enterprise’s IT
architecture, and other oversight
functions.

Authority Advises the board and Assists the executive in the

management on IT strategy, delivery of IT strategy, overseeing
focusing on current and management of IT service
future strategic IT issues delivery, projects and
implementation

Membership Includes board members Includes sponsoring executive,

and specialist non-board business executive (key users),
members chief information officer (CIO)
and key advisors, as required
 Matrix of Outcomes and Responsibilities

Board of directors

Executive management

Steering committee

CISO/information security
management

Audit executives

42
 IT Organizational Structure and Responsibilities

43
 IT Organizational Structure

• Within an organization, the IT department can be structured in a variety of ways.

• An organizational chart provides a clear definition of a department’s hierarchy and lines of

authority.

• The IS auditor should compare observed roles and responsibilities with formal organizational
structures and job descriptions.
 IT Functions

• Generally, the following IT functions should be reviewed by the IS auditor:

• Systems development management

• Project management
• Help or service desk administration
• End-user activities and their management
• Data management
• Quality assurance management
• Information security management
 IT Functions

• Additionally, these functions should be reviewed by the IS auditor:

• Vendor and outsourcer management

• Infrastructure operations and maintenance
• Removable media management
• Data entry
• Supervisory control and data acquisition
• Systems and security administration
• Database administration
• Applications and infrastructure development and maintenance
• Network management
 Segregation of IT Duties

• While actual job titles and organizational structures vary across

enterprises, an IS auditor must obtain enough information to
understand and document the relationships among various
job functions, responsibilities and authorities.

• The IS auditor must also assess the adequacy of SoD.

• SoD limits the possibility that a single person will be

responsible for functions in such a way that errors or
misappropriations could occur undetected.

• SoD is an important method to discourage and prevent

fraudulent or malicious acts.
 SoD Guidelines

• Duties that should be segregated include:

• Asset custody
• Authorization capability
• Transaction recording

• Both IS and end-user departments should be

organized to meet SoD policies.
 SoD Guidelines

• If adequate SoD does not exist, the following may occur with a
lower likelihood of detection:

• Misappropriation of assets
• Misstated financial statements
• Inaccurate financial documentation (due to errors or
irregularities)

• Improper use of funds or modification of data

• Unauthorized or erroneous modification of programs
 Compensating Controls for Lack of SOD

Audit Trails

Independent Reconciliation
reviews

Supervisory Exception
reviews reporting

Transaction logs

50
 Auditing IT Governance Structure and Implementation

• Some of the more significant indicators of • Unsupported or unauthorized HW/SW

potential problems include: purchases
• Excessive costs • Frequent HW/SW upgrades
• Budget overruns • Extensive exception reports
• Late projects • Exception reports that were not followed
• High staff turnover up

• Inexperienced staff • Lack of succession plans

• Frequent HW/SW errors • A reliance on one or two key personnel
• An excessive backlog of user requests • Lack of adequate training
• Slow computer response time
• Numerous aborted or suspended
development projects
51
 Reviewing Documentation

• The following governance documents should be reviewed:

• IT strategies, plans and budgets

• Security policy documentation
• Organization/functional charts
• Job descriptions
• IT steering committee reports
• System development and program change procedures
• Operations procedures
• HR manuals
• QA procedures

52
 Activity

• The CFO and CIO have agreed to maximize the return on

investment and lower the total cost of operations within
the organization’s IT operations to meet revenue goals and
objectives. To implement this strategy, the IT department
froze all hiring and procurement of equipment.

• As the IS auditor, you notice that the domain

administrators are also now the auditors of user account
activities and authorizing changes to access file servers
within the domain. What should you do?
Knowledge
Check An IS auditor reviewing an organization that uses cross-training practices should
1 assess the risk of:

A. Dependency on a single person

B. Inadequate succession planning

C. One person knowing all parts of a system

D. A disruption of operations
 Knowledge
Check An IS auditor reviewing an organization that uses cross-training practices should
1 assess the risk of:

A. Dependency on a single person

B. Inadequate succession planning

C. One person knowing all parts of a system

D. A disruption of operations

The correct answer is C

Cross-training is a process of training more than one individual to perform a specific job or procedure. However, in
using this approach, it is prudent to have first assessed the risk of any person knowing all parts of a system and the
related potential exposures related to abuse of privilege.
Enterprise Architecture

56
 Enterprise Architecture

• Enterprise architecture (EA) is a practice focused on documenting an organization’s IT assets in a

structured manner.

• EA facilitates the understanding of, management of, and planning for IT investments through
comparison of the current state and an optimized future state.
 Enterprise Architecture

• EA can be approached from one of two differing perspectives, as follows:

• Technology-driven EA — Seeks to clarify the complex technology choices faced by an organization in order
to provide guidance on the implementation of various solutions.

• Business-driven EA — Attempts to understand the organization in terms of its core processes, and derive
the optimum mix of technologies needed to support these processes.
 Activity

• ABC Corporation has been missing critical infrastructure

capabilities to meet new business agreements. The audit
committee and CEO has requested Internal Audit to
determine the causes of these failures.

• As an IS auditor, what areas would you consider when

scoping this audit?

• What key governance element would best address the key

risk realized during this project?
Knowledge
Check Which of the following choices is the PRIMARY benefit of requiring a steering
1 committee to oversee IT investment?

A. To conduct a feasibility study to demonstrate IT value

B. To ensure that investments are made according to business requirements

C. To ensure that proper security controls are enforced

D. To ensure that a standard development methodology is implemented

 Knowledge
Check Which of the following choices is the PRIMARY benefit of requiring a steering
1 committee to oversee IT investment?

A. To conduct a feasibility study to demonstrate IT value

B. To ensure that investments are made according to business requirements

C. To ensure that proper security controls are enforced

D. To ensure that a standard development methodology is implemented

The correct answer is B

A steering committee consists of representatives from the business and IT and ensures that IT investment is based on
business objectives rather than on IT priorities.
Knowledge
Check
As an outcome of information security governance, strategic alignment provides:
2

A. Security requirements driven by enterprise requirements

B. Baseline security following good practices

C. Institutionalized and commoditized solutions

D. An understanding of risk exposure

 Knowledge
Check
As an outcome of information security governance, strategic alignment provides:
2

A. Security requirements driven by enterprise requirements

B. Baseline security following good practices

C. Institutionalized and commoditized solutions

D. An understanding of risk exposure

The correct answer is A

Information security governance, when properly implemented, should provide four basic outcomes: strategic
alignment, value delivery, risk management and performance measurement. Strategic alignment provides input for
security requirements driven by enterprise requirements.
Enterprise Risk Management

64
 Risk Management

• The process of risk management focuses on an

enterprise’s information resources.

• To be effective, the process must begin with an

understanding of senior management’s appetite
for risk.
 Risk Response

• Four possible responses to risk are:

• Avoidance — elimination of the cause of the risk

• Mitigation — reduction of the probability of a risk’s occurrence or of its impact
• Transfer — sharing of risk with partners, such as through insurance or joint ventures
• Acceptance — formal acknowledgment of the presence of risk with a commitment to monitor it

• A fifth response, rejection of risk through choosing to ignore it, is not considered effective risk management.
The presence of this risk response should be a red flag for the IS auditor.
 Developing a Risk Management Plan

• Establish the purpose of the risk management program

• Assign responsibility for the risk management plan

67
 Risk Management Program

Asset Identification • Identify resources or assets that are

vulnerable to threats.

Threat Assessment • Determine threats and vulnerabilities

associated with the asset.
Objective:
A cost-effective balance
Impact Evaluation • Describe what will happen should a between significant
vulnerability be exploited. threats and the
application of controls
• Form an overall view of risk, based on the to those threats.
Risk Calculation
probability of occurrence and the magnitude
of impact.

Risk Response • Evaluate existing controls and implement

new controls designed to bring residual risk
into alignment with enterprise risk appetite.
 Risk Analysis Methods

• Risk analysis is defined as a process by which frequency and magnitude of IT risk scenarios are estimated.

• Three methods may be employed during risk analysis:

• Qualitative analysis methods — Descriptive rankings are used to describe risk likelihood and impact.
• Semi-quantitative analysis methods — Descriptive rankings are associated with numeric values.
• Quantitative analysis methods — Numeric values, for example, in the form of financial costs, are used to
describe risk likelihood and impact.

• Each of the three methods offers a perspective on risk, but it is important to acknowledge the assumptions
incorporated into each risk analysis.
Knowledge
Check Which of the following factors should an IS auditor PRIMARILY focus on when
1 determining the appropriate level of protection for an information asset?

A. Results of a risk assessment

B. Relative value to the business

C. Results of a vulnerability assessment

D. Cost of security controls

 Knowledge
Check Which of the following factors should an IS auditor PRIMARILY focus on when
1 determining the appropriate level of protection for an information asset?

A. Results of a risk assessment

B. Relative value to the business

C. Results of a vulnerability assessment

D. Cost of security controls

The correct answer is A

The appropriate level of protection for an asset is determined based on the risk associated with the asset. The results
of the risk assessment are, therefore, the primary information that the IS auditor should review.
Knowledge
Check When an organization’s disaster recovery plan (DRP) has a reciprocal agreement,
2 which of the following risk treatment approaches is being applied?

A. Transfer

B. Mitigation

C. Avoidance

D. Acceptance
 Knowledge
Check When an organization’s disaster recovery plan (DRP) has a reciprocal agreement,
2 which of the following risk treatment approaches is being applied?

A. Transfer

B. Mitigation

C. Avoidance

D. Acceptance

The correct answer is B

A reciprocal agreement in which two organizations agree to provide computing resources to each other in the event
of a disaster is a form of risk mitigation. This usually works well if both organizations have similar information
processing facilities. Because the intended effect of reciprocal agreements is to have a functional disaster recovery
plan (DRP), it is a risk mitigation strategy.
Maturity Model

74
 Maturity Models

• The IS auditor needs to understand how the development,

implementation and integration of capability and maturity
modeling quality tools, techniques and processes (TTPs) will
facilitate and foster the quality of enterprise IT policies and
procedures.

75
 Capability Maturity Model Integration

76
Laws, Regulations and Industry Standards affecting the Organization

77
 Governance, Risk and Compliance

• GRC typically focuses on:

• Financial
• Legal

78
 Impact of Laws, Regulations and Industry Standards on IS Audit

Standards and procedures

Assignment of responsibility to senior personnel

Reliable background of staff

Communication of procedures

Compliance monitoring and auditing

Consistent enforcement

Appropriate response to an offense and prevention of similar offenses

79
IT Resource Management

80
 IT Resource Management

• An IS auditor should understand an organization’s investment

and allocation practices to determine whether the enterprise is
positioned to achieve the greatest value from the investment
of its resources.

• Where feasible, nonfinancial benefits should be made visible

and tangible by using algorithms that transform them into
monetary units to understand their impact and improve their
analysis.

81
 HR Management

Employee Promotional
Hiring
Handbook Policies

Terms and
Scheduling and
Training Conditions of
Time Reporting
Employment

Performance Termination
 Change Management

• Organizational change management uses a

defined and documented process to identify and
apply technology improvements at both the
infrastructure and application levels.

• The IT department is the focal point for such

changes and leads or facilitates the changes with
senior management support.

• Communication is an important component of

change management, and end-users must be
informed of the impact and benefits of changes.
 Financial Management

• The IS budget allows for an adequate allocation of funds and for forecasting, monitoring and
analyzing financial information.

• The budget should be linked to short- and long-range IT plans.

• A “user-pays” scheme can improve application and monitoring of IS expenses and resources.

• In this arrangement, end users are charged for costs of IS services they receive.
• These charges are based on a standard formula and include such IS services as staff time,
computer time and other relevant costs.
 Information Security

• Information security governance is the responsibility of

the board of directors and executive management.

• Information security governance is a subset of

corporate governance, providing strategic direction for
security activities and ensuring that objectives are
achieved.

• An information security program comprises the

leadership, organizational structures and the processes
that safeguard information.
 Information Security

• The information security governance framework will generally

consist of:

• A security strategy linked with business objectives

• Security policies that address strategy, controls and
regulation

• Standards to ensure that procedures and guidelines

comply with policies

• An effective security organizational structure without

conflicts of interest

• Monitoring procedures to ensure compliance and provide

feedback on effectiveness
 Information Security Management

• Information security management provides the

lead role to ensure that the organization’s
information and the information processing
resources under its control are properly
protected.

87
IT Service Provider Acquisition and Management

88
 IT Service Function Strategies

• Define the IT function to be outsourced.

• Insourced
• Describe the service levels required and minimum metrics to be met.
• Outsourced
• Know the desired level of knowledge, skills and quality of the expected
• Hybrid
service provider desired.
• Onsite
• Know the current in-house cost information to compare with third-party
bids.
• Offsite

• Conduct due diligence reviews of potential service providers.

• Offshore

• Confirm any architectural considerations to meeting contractual or

regulatory requirements.

89
 Outsourcing Practices and Strategies

• IS Auditors should review:

• Quality programs (ISO/IEC

15504 (SPICE), CMMI, ITIL
and ISO methodologies)

• Review SLAs

90
 Outsourcing Practices and Strategies

• Incorporate service quality expectations, including usage of ISO/IEC 15504 (Software Process
Improvement and Capability Determination [SPICE]), CMMI, ITIL or ISO methodologies.

• Ensure adequate contractual consideration of access control/security administration, whether

vendor- or owner-controlled.

• Ensure that violation reporting, and follow-up are required by the contract.

• Ensure any requirements for owner notification and cooperation with any investigations.

• Ensure that change/version control and testing requirements are contractually required for the
implementation and production phases.

• Ensure that the parties responsible and the requirements for network controls are adequately
defined and any necessary delineation of these responsibilities established.

• State specific, defined performance parameters that must be met; for example, minimum processing
times for transactions or minimum hold times for contractors.
91
 Outsourcing Practices and Strategies

• Incorporate capacity management criteria.

• Provide contractual provisions for making changes to the contract.

• Provide a clearly defined dispute escalation and resolution process.

• Ensure that the contract indemnifies the company from damages caused by the organization
responsible for the outsourced services.

• Require confidentiality agreements protecting both parties.

• Incorporate clear, unambiguous “right to audit” provisions, providing the right to audit vendor
operations (e.g., access to facilities, access to records, right to make copies, access to personnel,
provision of computerized files) as they relate to the contracted services.

• Ensure that the contract adequately addresses business continuity and disaster recovery provisions,
and appropriate testing.

• Establish that the confidentiality, integrity and availability (sometimes referred to as the CIA triad) of
92 organization-owned data must be maintained, and clearly establish the ownership of the data.
 Outsourcing Practices and Strategies

• Require that the vendor comply with all relevant legal and regulatory requirements, including those
enacted after contract initiation

• Establish ownership of intellectual property developed by the vendor on behalf of the customer

• Establish clear warranty and maintenance periods

• Provide software escrow provisions

• Protect intellectual property rights

• Comply with legislation

• Establish clear roles and responsibilities between the parties.

• Require that the vendor follow the organization’s policies, including its information

• Follow the organization’s security policy (unless the vendor’s policies have been agreed to in advance
by the organization)

93
• Require the vendor to identify all subcontract relationships and requiring the organization’s approval
to change subcontractors
 Globalization Practices and strategies

• The IS auditor can assist in this process by ensuring that IT management considers the following
risk and audit concerns when defining the globalization strategy and completing the subsequent
transition to remote offshore locations:

• Legal, regulatory and tax issues

• Continuity of operations

• Personnel

• Telecommunication issues

• Cross-border and cross-cultural issues

• Planned globalization and/or important expansion

94
 Outsourcing and Third-party Audit Reports

• An IS auditor should be familiar with the following:

• Management assertions and how well these address the services being
provided by the service provider

• SSAE 18 reports (SOC 1, SOC 2 and SOC 3 reports)

• Additional third-party audit reports such as penetration tests and
security assessments. Note: Third-party assessments should be
performed by independent, objective and competent third parties.

• How to obtain the report, review it and present results to management

for further action

95
 Cloud Governance

• Ensure that IT is aligned with the business, systems are secure, and risk is managed is
challenging in any environment and even more complex in a third-party relationship.

• Governance activities such as goal setting, policy and standard development, defining roles
and responsibilities, and managing risk must include special considerations when dealing
with cloud technology and its providers.

• Policies must be modified or developed to address the process of sourcing, managing and
discontinuing the use of cloud services

96
 Governance in Outsourcing

• Ensure contractual viability through continuous review, improvement and benefit

gain to both parties.

• Include an explicit governance schedule to the contract.

• Manage the relationship to ensure that contractual obligations are met through
SLAs and operating level agreements (OLAs).

• Identify and manage all stakeholders, their relationships and expectations.

• Establish clear roles and responsibilities for decision making, issue escalation,
dispute management, demand management and service delivery.

• Allocate resources, expenditures and service consumption in response to

prioritized needs.

• Continuously evaluate performance, cost, user satisfaction and effectiveness.

• Communicate across all stakeholders on an ongoing basis.

97
 Monitoring and Managing Third-Party Services

• Monitor • Manage
• Performance levels • Changes to the organization
• Service reports • Changes in the third-party services
• Security incidents • Changes to physical location of service
• Audit trails and records of security events, facilities
operational problems, failures, tracing of • Chang of vendors or subcontractors
faults and disruptions related to the
service delivered

• Resolve and manage any identified

problems

98
IT Performance Monitoring and Reporting

99
 IT Performance Monitoring and Reporting

• Business contribution including, but not limited to, financials

• Performance against the strategic business and IT plan

• Risk and compliance with regulations

• Internal and external user satisfaction with service levels

• Key IT processes, including solution and service delivery

• Future-oriented activities (e.g., emerging technology, reusable

infrastructure, business and IT personnel skill sets)

100
 Performance Optimization

• A variety of improvement and optimization methodologies are

available that complement simple, internally developed
approaches. These include:

• Continuous improvement methodologies, such as the

PDCA cycle

• Comprehensive best practices, such as ITIL

• Frameworks, such as COBIT

101
 The PDCA Method

Do Act
• Establish • Study results
objectives and from the “Do”
processes needed • Implement the step, looking for • Analyze
to deliver desired plan, collecting deviations from deviations and
results. data for charting desired results. request corrective
and analysis. actions.

Plan Check
 Tools and Techniques

• A quantitative process analysis, defect reduction and

Six Sigma
improvement approach

• A process management evaluation technique that can be

IT BSC
effectively applied to assess IT functions and processes

• A measure that determines how well a process is performing

KPI
in enabling a goal to be reached

• A systematic approach to comparing enterprise performance

Benchmarking
against competitors to learn methods

• The thorough analysis and redesign of business processes to

BPR
establish a better performing structure with cost savings

• The process of diagnosis to establish the origins of events so

Root Cause Analysis
that controls can be developed to address these causes

• Assessment of life cycle, life cycle cost and benefit analysis to

Life Cycle Cost-benefit
determine strategic direction for IT systems
 Activity

• As an IS auditor, if you were reviewing the cloud sourcing

area, what would you look at to determine alignment?
Knowledge
Check While reviewing a quality management system (QMS) the IS auditor should
1 PRIMARILY focus on collecting evidence to show that:

A. Quality management systems (QMSs) comply with good practices

B. Continuous improvement targets are being monitored

C. Standard operating procedures of IT are updated annually

D. Key performance indicators (KPIs) are defined

 Knowledge
Check While reviewing a quality management system (QMS) the IS auditor should
1 PRIMARILY focus on collecting evidence to show that:

A. Quality management systems (QMSs) comply with good practices

B. Continuous improvement targets are being monitored

C. Standard operating procedures of IT are updated annually

D. Key performance indicators (KPIs) are defined

The correct answer is B

Continuous and measurable improvement of quality is the primary requirement to achieve the business objective for
the quality management system (QMS).
 IT Balanced Scorecard

• The IT balanced scorecard (BSC) is a management evaluation technique that can be applied to the
EGIT process.

• It goes beyond traditional financial evaluation by measuring:

• Customer (or user) satisfaction

• Internal operational processes
• The ability to innovate
 IT Balanced Scorecard

• IT BSC objectives serve to:

• Establish a method for management reporting to the board.

• Foster consensus among stakeholders about IT strategic aims.
• Demonstrate the effectiveness of IT.
• Facilitate communication about the performance, risk and capabilities of IT.
 Example of an IT BSC

Generic IT Balanced Scorecard

Business Contribution
How does management view the IT
department?
Mission
To obtain a reasonable business
contribution from IT investments
Objectives Cause
Business/IT alignment Effect
Value Delivery
User Orientation Cost management Future Orientation
How do users view the IT department? Risk management How well is IT positioned to meet future
Mission needs?
To be the preferred supplier of Mission
information systems To develop opportunities to answer
Objectives IT BSC future challenges
Preferred supplier of applications and Objectives
operations Training and education of IT staff
Partnership with users Expertise of IT staff
User satisfaction Research into emerging technologies
Operational Excellence
How effective and efficient are the IT
processes?
Mission
To deliver effective and efficient IT
applications and services
Objectives
Efficient and effective developments
Efficient and effective operations
Maturity level of IT processes

Source: ISACA, IT Governance Domain Practices and Competencies: Measuring and Demonstrating the Value of IT, USA, 2005, figure 7
 Activity

• You have been assigned to evaluate how IT resources are

categorized and managed. During interviews, you realize
that specific benchmarks and measures have not been
established about:

• Personnel skills and experience

• Direction of outsourcing of IT services

• Without having key performance indicators defined, what

problems are likely to occur when managing outsourced
service providers?
Knowledge
Check Which of the following is the MOST important IS audit consideration when an
organization outsources a customer credit review system to a third-party service
1 provider? The provider:

A. Claims to meet or exceed industry security standards

B. Agrees to be subject to external security reviews

C. Has a good market reputation for service and experience

D. Complies with security policies of the organization

 Knowledge
Check Which of the following is the MOST important IS audit consideration when an
organization outsources a customer credit review system to a third-party service
1 provider? The provider:

A. Claims to meet or exceed industry security standards

B. Agrees to be subject to external security reviews

C. Has a good market reputation for service and experience

D. Complies with security policies of the organization

The correct answer is B

It is critical that an independent security review of an outsourcing vendor be obtained because customer credit
information will be kept there.
 Knowledge
Check
Before implementing an IT balanced scorecard (BSC), an organization must:
2

A. Deliver effective and efficient services

B. Define key performance indicators

C. Provide business value to IT projects

D. Control IT expenses

The correct answer is B

Because a BSC is a way to measure performance, a definition of key performance indicators is required before
implementing an IT BSC.
Knowledge
Check
Before implementing an IT balanced scorecard (BSC), an organization must:
2

A. Deliver effective and efficient services

B. Define key performance indicators

C. Provide business value to IT projects

D. Control IT expenses
Quality Assurance and Quality Management of IT

115
 Quality Assurance

Quality Assurance Quality Control

116
 Quality Management

• Areas of control for quality management may include:

• Software development, maintenance and implementation

• Acquisition of hardware and software
• Day-to-day operations
• Service management
• Security
• HR management
• General administration

117
 Activity

• Many of ABC corporation’s software products are not

found to meet EU Privacy Directives. Furthermore, many of
the software products have numerous injection and cross-
site scripting vulnerabilities.

• What is the best way to address these vulnerabilities?

Knowledge
Check An IS auditor is performing a review of the software quality management process in an
1 organization. The FIRST step should be to:

A. Verify how the organization follows the standards

B. Identify and report the controls currently in place

C. Review the metrics for quality evaluation

D. Request all standards that have been adopted by the organization

 Knowledge
Check An IS auditor is performing a review of the software quality management process in an
1 organization. The FIRST step should be to:

A. Verify how the organization follows the standards

B. Identify and report the controls currently in place

C. Review the metrics for quality evaluation

D. Request all standards that have been adopted by the organization

The correct answer is D

Because an audit measures compliance with the standards of the organization, the first step of the review of the
software quality management process should be to determine the evaluation criteria in the form of standards
adopted by the organization. The evaluation of how well the organization follows their own standards cannot be
performed until the IS auditor has determined what standards exist.
 Key Takeaways

Evaluate the IT strategy for alignment with the organization’s

strategies and objectives.
Evaluate the effectiveness of IT governance structure and IT
organizational structure

Evaluate the organization’s management of IT policies and

practices
Evaluate the organization’s IT policies and practices for
compliance with regulatory and legal requirements
Evaluate IT resource and portfolio management for
alignment with the organization’s strategies and objectives

Evaluate the organization’s risk management policies and

practices
Evaluate IT management and monitoring of controls
 Key Takeaways

Evaluate the monitoring and reporting of IT key performance

indicators (KPIs)
Evaluate whether IT supplier selection and contract
management processes align with business requirements

Evaluate whether IT service management practices align with

business requirements
Conduct periodic review of information systems and
enterprise architecture. Evaluate data governance policies
and practices
Evaluate the information security program to determine its
effectiveness and alignment with the organization’s strategies
and objectives

Evaluate potential opportunities and threats associated with

emerging technologies, regulations, and industry practices