Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Management of IT
Domain 2
©Copyright 2016 ISACA. All rights reserved. 2 © Copyright 2016 ISACA. All rights reserved.
3 © Copyright 2016 ISACA. All rights reserved. 4 © Copyright 2016 ISACA. All rights reserved.
and objectives.
2.3 Evaluate IT organizational structure and human
resources (personnel) management to determine
objectives.
5 © Copyright 2016 ISACA. All rights reserved. 6 © Copyright 2016 ISACA. All rights reserved.
Domain Domain
2.4 2.6 Evaluate IT portfolio management, including
and procedures and the processes for their investment, prioritization and allocation, for alignment
development, approval, release/publishing,
implementation and maintenance to determine whether 2.7 Evaluate risk management practices to determine
they support the IT strategy and comply with regulatory -related risks are identified,
and legal requirements. assessed, monitored, reported and managed.
2.5 Evaluate IT resource management, including 2.8 Evaluate IT management and monitoring of controls
investment, prioritization, allocation and use, for (e.g., continuous monitoring and quality assurance [QA])
7 © Copyright 2016 ISACA. All rights reserved. 8 © Copyright 2016 ISACA. All rights reserved.
Task 2.1
2.9 Evaluate monitoring and reporting of IT key
performance indicators (KPIs) to determine whether
management receives sufficient and timely information.
2.10 Evaluate the IT strategy, including the IT
(BCP), including the alignment of the IT disaster
recovery plan (DRP) with the BCP, to determine the
direction, and the processes for the
9 © Copyright 2016 ISACA. All rights reserved. 10 © Copyright 2016 ISACA. All rights reserved.
11 © Copyright 2016 ISACA. All rights reserved. 12 © Copyright 2016 ISACA. All rights reserved.
Governance of Enterprise IT
How does Task 2.1 relate to each of the following Corporate governance is a set of responsibilities and
knowledge statements?
Knowledge Statement Connection provide strategic direction.
K2.6 Knowledge of the processes for The governance life cycle for an Governance of enterprise IT (GEIT) implies a
system in which all stakeholders provide input into
the development, implementation and organization is a living process that
maintenance of IT strategy, policies,
standards and procedures existing and emerging objectives and the decision-making process.
goals.
GEIT is concerned with the stewardship of IT
resources on behalf of these stakeholders.
13 © Copyright 2016 ISACA. All rights reserved. 14 © Copyright 2016 ISACA. All rights reserved.
GEIT Implementation
The GEIT framework is implemented through Broad processes in GEIT implementation include:
practices that provide feedback regarding two o IT resource management Focuses on
fundamental issues: maintaining updated inventory of IT resources;
o That IT delivers value to the enterprise addresses risk management process
o That IT risk is properly managed o Performance measurement Ensures that all IT
resources perform to deliver value to the
enterprise
o Compliance management Addresses legal,
regulatory and contractual compliance
requirements
15 © Copyright 2016 ISACA. All rights reserved. 16 © Copyright 2016 ISACA. All rights reserved.
Evaluate
goals.
The topics that management must address
to govern IT within the enterprise are each
Management
Direct Feedback
Monitor
17 © Copyright 2016 ISACA. All rights reserved. 18 © Copyright 2016 ISACA. All rights reserved.
19 © Copyright 2016 ISACA. All rights reserved. 20 © Copyright 2016 ISACA. All rights reserved.
GEIT Frameworks
The control environment of the organization, the Several frameworks provide standards for GEIT,
inherent risk present, and IT investment and including:
expenditure must also be assessed. o COBIT 5
o ISO/IEC 27001
o Information Technology Infrastructure Library
o IT Baseline Protection Catalogs or
IT-Grundschutz Catalogs
21 © Copyright 2016 ISACA. All rights reserved. 22 © Copyright 2016 ISACA. All rights reserved.
Enterprise Architecture
Enterprise architecture (EA) is a practice EA can be approached from one of two differing
perspectives, as follows:
assets in a structured manner. o Technology-driven EA Seeks to clarify the
EA facilitates the understanding of, management complex technology choices faced by an
of, and planning for IT investments through organization in order to provide guidance on
comparison of the current state and an the implementation of various solutions.
optimized future state. o Business-driven EA Attempts to understand
the organization in terms of its core
processes, and derive the optimum mix of
technologies needed to support these
processes.
23 © Copyright 2016 ISACA. All rights reserved. 24 © Copyright 2016 ISACA. All rights reserved.
25 © Copyright 2016 ISACA. All rights reserved. 26 © Copyright 2016 ISACA. All rights reserved.
27 © Copyright 2016 ISACA. All rights reserved. 28 © Copyright 2016 ISACA. All rights reserved.
29 © Copyright 2016 ISACA. All rights reserved. 30 © Copyright 2016 ISACA. All rights reserved.
IT Governing Committees
How does Task 2.2 relate to each of the following Organizations often have executive-level
knowledge statements? strategy and steering committees to handle
Knowledge Statement Connection organization-wide IT issues.
K2.4 Evaluate Without processes in place to The IS auditor should know the responsibilities
IT policies, standards and develop and maintain an
procedures, and the processes for policies, standards of, authority possessed by and membership of
their development, approval, and procedures, these guiding such committees.
release/publishing, implementation documents will not remain in
and maintenance to determine alignment with existing and
whether they support the IT emerging strategy goals, and
strategy and comply with objectives and regulatory
regulatory and legal requirements. requirements.
31 © Copyright 2016 ISACA. All rights reserved. 32 © Copyright 2016 ISACA. All rights reserved.
33 © Copyright 2016 ISACA. All rights reserved. 34 © Copyright 2016 ISACA. All rights reserved.
Information Security
Information security governance is the responsibility of The information security governance framework will
the board of directors and executive management. generally consist of:
Information security governance is a subset of corporate o A security strategy linked with business objectives
governance, providing strategic direction for security o Security policies that address strategy, controls and
activities and ensuring that objectives are achieved. regulation
An information security program comprises the o Standards to ensure that procedures and guidelines
leadership, organizational structures and the processes comply with policies
that safeguard information. o An effective security organizational structure without
conflicts of interest
o Monitoring procedures to ensure compliance and
provide feedback on effectiveness
35 © Copyright 2016 ISACA. All rights reserved. 36 © Copyright 2016 ISACA. All rights reserved.
Sourcing Practices
Sourcing practices relate to the way in which the The functions may be performed across the globe in a
enterprise obtains the IT functions required to support variety of arrangements, including:
the business. o Onsite Staff works onsite in the IT department.
These functions may be performed: o Offsite Staff works at a remote location in the same
o - geographical region.
o o Offshore Staff works at a remote location in a
o By a mix of both insourced and outsourced methods different geographical region.
37 © Copyright 2016 ISACA. All rights reserved. 38 © Copyright 2016 ISACA. All rights reserved.
39 © Copyright 2016 ISACA. All rights reserved. 40 © Copyright 2016 ISACA. All rights reserved.
Public cloud Owned by an organization selling cloud services Evaluate the effectiveness of the IT The governance structure
Data may be stored with the data of competitors governance structure to determine enables the organization
Data may be stored in unknown locations whether IT decisions, directions and to remain agile and in
Data may not be easily retrievable alignment with current and
Hybrid cloud Binding of two or more cloud deployment types strategies and objectives. emerging goals and
objectives.
Data labeling and classification beneficial to ensure assignment to correct cloud type
Aggregate risk of merging different deployment models
41 © Copyright 2016 ISACA. All rights reserved. 42 © Copyright 2016 ISACA. All rights reserved.
43 © Copyright 2016 ISACA. All rights reserved. 44 © Copyright 2016 ISACA. All rights reserved.
45 © Copyright 2016 ISACA. All rights reserved. 46 © Copyright 2016 ISACA. All rights reserved.
47 © Copyright 2016 ISACA. All rights reserved. 48 © Copyright 2016 ISACA. All rights reserved.
49 © Copyright 2016 ISACA. All rights reserved. 50 © Copyright 2016 ISACA. All rights reserved.
IT Functions
Generally, the following IT functions should be reviewed Additionally, these functions should be reviewed by the IS
by the IS auditor: auditor:
o Systems development management o Vendor and outsourcer management
o Project management o Infrastructure operations and maintenance
o Help or service desk administration o Removable media management
o End-user activities and their management o Data entry
o Data management o Supervisory control and data acquisition
o Quality assurance management o Systems and security administration
o Database administration
o Information security management
o Applications and infrastructure development and
maintenance
o Network management
51 © Copyright 2016 ISACA. All rights reserved. 52 © Copyright 2016 ISACA. All rights reserved.
53 © Copyright 2016 ISACA. All rights reserved. 54 © Copyright 2016 ISACA. All rights reserved.
55 © Copyright 2016 ISACA. All rights reserved. 56 © Copyright 2016 ISACA. All rights reserved.
57 © Copyright 2016 ISACA. All rights reserved. 58 © Copyright 2016 ISACA. All rights reserved.
59 © Copyright 2016 ISACA. All rights reserved. 60 © Copyright 2016 ISACA. All rights reserved.
Key Terms
Key Term Definition Key Term Definition
Policy 1. Generally, a document that records a Process Generally, a collection of activities influenced
high-level principle or course of action that
has been decided on. that takes inputs from a number of sources
2. An overall intention and direction as (including other processes), manipulates the
formally expressed by management. inputs and produces outputs
Procedure A document containing a detailed description Regulatory Rules or laws that regulate conduct and that
of the steps necessary to perform specific requirements the enterprise must obey to become compliant
operations in conformance with applicable
standards. Procedures are defined as part of
processes.
61 © Copyright 2016 ISACA. All rights reserved. 62 © Copyright 2016 ISACA. All rights reserved.
63 © Copyright 2016 ISACA. All rights reserved. 64 © Copyright 2016 ISACA. All rights reserved.
IS Strategy
How does Task 2.4 relate to each of the following Information systems support, sustain and help to grow
knowledge statements? enterprises.
Knowledge Statement Connection IS strategic processes can be seen as:
K2.6 Knowledge of the processes for The IS auditor must understand the o Integral components of the organizational governance
the development, implementation and life cycle of organizational IT structure
maintenance of IT strategy, policies, strategies, policies, standards and
standards and procedures procedures. o Methods to provide reasonable assurance that
business objectives may be attained
o A facilitator for the enhancement of competitive
advantage
65 © Copyright 2016 ISACA. All rights reserved. 66 © Copyright 2016 ISACA. All rights reserved.
Policies
Corporate policies are high-level documents that set the
tone for an organization as a whole. auditors should use the policies as a benchmark for
Departmental or division-level policies define lower-level evaluating compliance.
goals and directives. The IS auditor must also consider whether and to what
Policies are part of the IS audit scope and should be extent policies pertain to third parties and outsourcers,
tested for compliance. whether these parties comply with the policies and
whether the policies of these parties conflict with those of
the organization.
67 © Copyright 2016 ISACA. All rights reserved. 68 © Copyright 2016 ISACA. All rights reserved.
Standards
Corporate standards are documents that set the specific IS hardening and service levels should be in alignment
criteria to which items conform. with applicable standards, and auditors should use the
Departmental or division-level IT system standards standards as a benchmark for evaluating compliance.
define the specific level of configuration and Like policies, the IS auditor must also consider whether
performance benchmarks. and to what extent standards pertain to third parties and
Standards are part of the IS audit scope and should be outsourcers, whether these parties comply with the
tested for compliance. standards and whether the standards of these parties
conflict with those of the organization.
69 © Copyright 2016 ISACA. All rights reserved. 70 © Copyright 2016 ISACA. All rights reserved.
71 © Copyright 2016 ISACA. All rights reserved. 72 © Copyright 2016 ISACA. All rights reserved.
73 © Copyright 2016 ISACA. All rights reserved. 74 © Copyright 2016 ISACA. All rights reserved.
77 © Copyright 2016 ISACA. All rights reserved. 78 © Copyright 2016 ISACA. All rights reserved.
79 © Copyright 2016 ISACA. All rights reserved. 80 © Copyright 2016 ISACA. All rights reserved.
How does Task 2.5 relate to each of the following How does Task 2.5 relate to each of the following
knowledge statements? knowledge statements?
Knowledge Statement Connection Knowledge Statement Connection
K2.10 Knowledge of IT supplier IT vendor and contract statement of K2.12 Knowledge of practices for The IS auditor will find that successful
selection, contract management, work, and respective terms and monitoring and reporting of controls IT governance relies on continuous
relationship management and conditions must be evaluated to performance (e.g., continuous feedback processes to ensure
performance monitoring processes, ensure required value and technical monitoring and quality assurance organizational goals and objectives
including third-party outsourcing performance measures are attained. [QA]) are being met.
relationships
81 © Copyright 2016 ISACA. All rights reserved. 82 © Copyright 2016 ISACA. All rights reserved.
IT Balanced Scorecard
How does Task 2.5 relate to each of the following The IT balanced scorecard (BSC) is a management
knowledge statements? evaluation technique that can be applied to the GEIT
process.
Knowledge Statement Connection
K2.14 Knowledge of practices for The IS auditor will evaluate and use
It goes beyond traditional financial evaluation by
monitoring and reporting of IT the key performance indicators measuring:
performance (e.g., balanced
scorecards [BSCs] and key
established and maintained that
become the basis for reporting during
o Customer (or user) satisfaction
performance indicators [KPIs]) continuous monitoring feedback on IT o Internal operational processes
governance effectiveness.
o The ability to innovate
83 © Copyright 2016 ISACA. All rights reserved. 84 © Copyright 2016 ISACA. All rights reserved.
Example of an IT BSC
IT BSC objectives serve to: Generic IT Balanced Scorecard
o Establish a method for management reporting to the Business Contribution
board.
How does management view the IT
department?
Mission
strategic aims.
Business/IT alignment Effect
Value Delivery
User Orientation Cost management Future Orientation
Source: ISACA, IT Governance Domain Practices and Competencies: Measuring and Demonstrating the Value of IT, USA, 2005, figure 7
85 © Copyright 2016 ISACA. All rights reserved. 86 © Copyright 2016 ISACA. All rights reserved.
87 © Copyright 2016 ISACA. All rights reserved. 88 © Copyright 2016 ISACA. All rights reserved.
89 © Copyright 2016 ISACA. All rights reserved. 90 © Copyright 2016 ISACA. All rights reserved.
91 © Copyright 2016 ISACA. All rights reserved. 92 © Copyright 2016 ISACA. All rights reserved.
93 © Copyright 2016 ISACA. All rights reserved. 94 © Copyright 2016 ISACA. All rights reserved.
How does Task 2.6 relate to each of the following How does Task 2.6 relate to each of the following
knowledge statements? knowledge statements?
Knowledge Statement Connection Knowledge Statement Connection
K2.9 Knowledge of IT resource Awareness of current practices in IT K2.12 Knowledge of practices for Adoption of good practices for control
investment and allocation practices, investment and resource allocation, monitoring and reporting of controls performance monitoring and reporting
including prioritization criteria (e.g., role of financial management practices performance (e.g., continuous to include balanced scorecard and
portfolio management, value and HR processes and policies on IT monitoring and quality assurance KPIs in driving performance
management, personnel governance in IT portfolio [QA]) optimization
management) management K2.14 Knowledge of practices for Concepts related to establishing,
K2.10 Knowledge of IT supplier Relationship between vendor monitoring and reporting of IT monitoring and reporting processes
selection, contract management, management and IT governance of performance (e.g., balanced needed by the governance team to
relationship management and the outsourcing entity to meet and scorecards [BSCs] and key evaluate performance and provide
performance monitoring processes, stay aligned with goals and objectives performance indicators [KPIs]) direction to senior management
including third-party outsourcing
relationships
95 © Copyright 2016 ISACA. All rights reserved. 96 © Copyright 2016 ISACA. All rights reserved.
IT Portfolio Management
IT portfolio management is distinct from IT financial The most significant advantage of IT portfolio
management. management is agility in adjusting investments based on
It has a strategic goal in determining IT direction toward: built-in feedback mechanisms.
o What the enterprise will begin to invest in Implementation methods include:
o What the enterprise will continue to invest in o Risk profile analysis
o What the enterprise will divest o Diversification of projects, infrastructure and
Key governance practices in IT portfolio management technologies
include the evaluation, direction and monitoring of value o Continuous alignment with business goals
optimization. o Continuous improvement
97 © Copyright 2016 ISACA. All rights reserved. 98 © Copyright 2016 ISACA. All rights reserved.
101 © Copyright 2016 ISACA. All rights reserved. 102 © Copyright 2016 ISACA. All rights reserved.
103 © Copyright 2016 ISACA. All rights reserved. 104 © Copyright 2016 ISACA. All rights reserved.
Risk Management
The process of risk management focuses on an Four possible responses to risk are:
o Avoidance elimination of the cause of the risk
To be effective, the process must begin with an o Mitigation
occurrence or of its impact
o Transfer sharing of risk with partners, such as
through insurance or joint ventures
o Acceptance formal acknowledgment of the
presence of risk with a commitment to monitor it
A fifth response, rejection of risk through choosing to
ignore it, is not considered effective risk management.
The presence of this risk response should be a red flag
for the IS auditor.
105 © Copyright 2016 ISACA. All rights reserved. 106 © Copyright 2016 ISACA. All rights reserved.
107 © Copyright 2016 ISACA. All rights reserved. 108 © Copyright 2016 ISACA. All rights reserved.
109 © Copyright 2016 ISACA. All rights reserved. 110 © Copyright 2016 ISACA. All rights reserved.
111 © Copyright 2016 ISACA. All rights reserved. 112 © Copyright 2016 ISACA. All rights reserved.
113 © Copyright 2016 ISACA. All rights reserved. 114 © Copyright 2016 ISACA. All rights reserved.
115 © Copyright 2016 ISACA. All rights reserved. 116 © Copyright 2016 ISACA. All rights reserved.
Do Act
Several different models may be encountered in
organizations, including: Establish Study results
objectives and
o COBIT Process Assessment Model (PAM) defines the processes Implement the
plan, collecting
step, looking for Analyze
deviations and
minimum requirements for conducting an assessment to
needed to deliver deviations from
desired results. data for charting desired results. request corrective
Plan Check
and analysis. actions.
ensure reliable results
o IDEAL model designed to guide the planning and
implementation of effective software improvement
o CMMI provides the essential elements of effective
processes; used as a guide to process improvement
across a project, division or organization
117 © Copyright 2016 ISACA. All rights reserved. 118 © Copyright 2016 ISACA. All rights reserved.
119 © Copyright 2016 ISACA. All rights reserved. 120 © Copyright 2016 ISACA. All rights reserved.
121 © Copyright 2016 ISACA. All rights reserved. 122 © Copyright 2016 ISACA. All rights reserved.
123 © Copyright 2016 ISACA. All rights reserved. 124 © Copyright 2016 ISACA. All rights reserved.
125 © Copyright 2016 ISACA. All rights reserved. 126 © Copyright 2016 ISACA. All rights reserved.
127 © Copyright 2016 ISACA. All rights reserved. 128 © Copyright 2016 ISACA. All rights reserved.
129 © Copyright 2016 ISACA. All rights reserved. 130 © Copyright 2016 ISACA. All rights reserved.
131 © Copyright 2016 ISACA. All rights reserved. 132 © Copyright 2016 ISACA. All rights reserved.
communication and support organizational change. IT BSC A process management evaluation technique that can be
These include:
effectively applied to assess IT functions and processes
133 © Copyright 2016 ISACA. All rights reserved. 134 © Copyright 2016 ISACA. All rights reserved.
135 © Copyright 2016 ISACA. All rights reserved. 136 © Copyright 2016 ISACA. All rights reserved.
137 © Copyright 2016 ISACA. All rights reserved. 138 © Copyright 2016 ISACA. All rights reserved.
139 © Copyright 2016 ISACA. All rights reserved. 140 © Copyright 2016 ISACA. All rights reserved.
Policy Management
How does Task 2.10 relate to each of the following The management of information security ensures that an
knowledge statements?
process the information are properly protected.
Knowledge Statement Connection
K2.16 Knowledge of the standards Understanding the life cycle of
An information security program is established through:
and procedures for the development, BCP/DRP development and o Assessing the risk to IT assets
maintenance and testing of the maintenance
business continuity plan (BCP) o Mitigating the risk to a level determined by
K2.17 Knowledge of procedures used Understanding how the BIA defines management
to invoke and execute the business the triggers to initiate the various o Monitoring remaining residual risk
continuity plan and return to normal actions within the BCP/DRP
operations
141 © Copyright 2016 ISACA. All rights reserved. 142 © Copyright 2016 ISACA. All rights reserved.
143 © Copyright 2016 ISACA. All rights reserved. 144 © Copyright 2016 ISACA. All rights reserved.
145 © Copyright 2016 ISACA. All rights reserved. 146 © Copyright 2016 ISACA. All rights reserved.
through a BIA. BC
Plan
Development
Business
BC Strategy
Impact
Development Strategy
Analysis
Execution (Risk
Countermeasures
Implementation)
147 © Copyright 2016 ISACA. All rights reserved. 148 © Copyright 2016 ISACA. All rights reserved.
149 © Copyright 2016 ISACA. All rights reserved. 150 © Copyright 2016 ISACA. All rights reserved.
or outside stakeholders
Countermeasure) Controls Special Clauses
Spare Processing in
stakeholders
Configuration Generator
Management
151 © Copyright 2016 ISACA. All rights reserved. 152 © Copyright 2016 ISACA. All rights reserved.
153 © Copyright 2016 ISACA. All rights reserved. 154 © Copyright 2016 ISACA. All rights reserved.
o Verifying BCP effectiveness through a review of plan 3. Review the business continuity
testing teams.
o Evaluating cloud-based mechanisms and offsite
storage 4. Test the plan.
o Assessing the ability of personnel to respond
effectively in the event of an incident
155 © Copyright 2016 ISACA. All rights reserved. 156 © Copyright 2016 ISACA. All rights reserved.
157 © Copyright 2016 ISACA. All rights reserved. 158 © Copyright 2016 ISACA. All rights reserved.
159 © Copyright 2016 ISACA. All rights reserved. 160 © Copyright 2016 ISACA. All rights reserved.
Domain 2 Summary
Evaluation of the IT strategy life cycle Evaluation of IT portfolio management
Evaluation of the effectiveness of the IT governance Evaluation of risk management practices
structure Evaluation of IT management and monitoring of
Evaluation of the IT organizational structure and controls
human resources (personnel) management Evaluation of monitoring and reporting of IT KPIs
Evaluation of Evaluation of
and procedures life cycle plan
Evaluation of IT resource management The importance of a BCP, including the alignment of
the IT DRP with the BCP
161 © Copyright 2016 ISACA. All rights reserved. 162 © Copyright 2016 ISACA. All rights reserved.
163 © Copyright 2016 ISACA. All rights reserved. 164 © Copyright 2016 ISACA. All rights reserved.