CISA Student Handout Domain2

CISA Review Course 26th Edition Domain 2: Governance and
Management of IT
Domain 2
Domain 2 Provide assurance that the necessary

leadership and organizational structures
and processes are in place to achieve the
Governance and
objectives and to support the
Management of IT strategy.
©Copyright 2016 ISACA. All rights reserved. 2 © Copyright 2016 ISACA. All rights reserved.
Domain 2 Domain Objectives

The focus of Domain 2 is the knowledge of IT The objective of this domain is to ensure that the
governance, which is fundamental to the work of CISA candidate is prepared for the role of
the IS auditor and for the development of sound completing a review in the following areas to
control practices and mechanisms for ensure that IT governance requirements are
management oversight and review. met:
o Organizational structure
o Management policies
o Accountability mechanisms
o Monitoring practices
3 © Copyright 2016 ISACA. All rights reserved. 4 © Copyright 2016 ISACA. All rights reserved.
© 2016. ISACA. All Rights Reserved. 1

Management of IT
On the CISA Exam Domain Tasks

Domain 2 represents 16% of the questions on 2.1 Evaluate the IT strategy, including the IT direction,
the CISA exam (approximately 24 questions).
approval, implementation and maintenance for alignment
Domain 2 incorporates 10 tasks related to the
management of IT governance. 2.2 Evaluate the effectiveness of the IT governance
structure to determine whether IT decisions, directions
and objectives.
2.3 Evaluate IT organizational structure and human
resources (personnel) management to determine
objectives.
Domain Domain
2.4 2.6 Evaluate IT portfolio management, including
and procedures and the processes for their investment, prioritization and allocation, for alignment
development, approval, release/publishing,
implementation and maintenance to determine whether 2.7 Evaluate risk management practices to determine
they support the IT strategy and comply with regulatory -related risks are identified,
and legal requirements. assessed, monitored, reported and managed.
2.5 Evaluate IT resource management, including 2.8 Evaluate IT management and monitoring of controls
investment, prioritization, allocation and use, for (e.g., continuous monitoring and quality assurance [QA])
objectives. and procedures.

Management of IT
Task 2.1
2.9 Evaluate monitoring and reporting of IT key
performance indicators (KPIs) to determine whether
management receives sufficient and timely information.
2.10 Evaluate the IT strategy, including the IT
(BCP), including the alignment of the IT disaster
recovery plan (DRP) with the BCP, to determine the
direction, and the processes for the
operations during the period of an IT disruption. implementation and maintenance for
strategies and objectives.
Key Terms Task to Knowledge Statements

Key Term Definition How does Task 2.1 relate to each of the following
knowledge statements?
Strategic The process of deciding on the
planning Knowledge Statement Connection
these objectives, and the policies to K2.1 Knowledge of the purpose of IT The IS auditor must understand
strategy, policies, standards and purpose of strategies, policies
govern their acquisition and use procedures for an organization and directing the implementation of these
IT strategic A long-term plan (i.e., three- to five-year the essential elements of each strategies and standards for desired
performance of the enterprise.
plan horizon) in which business and IT
Based on the organization goals and
management cooperatively describe how technology direction and IT objectives, the IS auditor must
IT resources will contribute to the architecture and their implications for understand how the organization
setting long-term strategic directions develops and aligns technology and
architecture planning and acquisitions
to meet today and long-term
organizational goals and objectives.

Management of IT
Governance of Enterprise IT
How does Task 2.1 relate to each of the following Corporate governance is a set of responsibilities and
Knowledge Statement Connection provide strategic direction.
K2.6 Knowledge of the processes for The governance life cycle for an Governance of enterprise IT (GEIT) implies a
system in which all stakeholders provide input into
the development, implementation and organization is a living process that
maintenance of IT strategy, policies,
standards and procedures existing and emerging objectives and the decision-making process.
goals.
GEIT is concerned with the stewardship of IT
resources on behalf of these stakeholders.
GEIT Implementation
The GEIT framework is implemented through Broad processes in GEIT implementation include:
practices that provide feedback regarding two o IT resource management Focuses on
fundamental issues: maintaining updated inventory of IT resources;
o That IT delivers value to the enterprise addresses risk management process
o That IT risk is properly managed o Performance measurement Ensures that all IT
resources perform to deliver value to the
enterprise
o Compliance management Addresses legal,
regulatory and contractual compliance
requirements

Management of IT
GEIT Good Practices

GEIT is a structure of relationships and Business Needs
processes used to direct and control the

enterprise toward achievement of its
Governance
Evaluate
goals.
The topics that management must address
to govern IT within the enterprise are each
Management
Direct Feedback
Monitor
concerned with value creation. Management
Plan Build Run Monitor

(APO) (BAI) (DSS) (MEA)
Source: ISACA, COBIT 5, USA, 2012, figure 15
The Role of Audit in GEIT Areas of GEIT Audit

Audit plays a significant role in the implementation of In accordance with the define role of the IS auditor, the
GEIT. following aspects of GEIT must be assessed:
It offers these benefits: o Alignment of enterprise governance and GEIT
o Provides leading practice recommendations to senior o Alignment of the IT function with the organizational
management mission, vision, values, objectives and strategies
o Helps ensure compliance with GEIT initiatives o Achievement of performance objectives
o Provides independent and balanced view to facilitate o Compliance with legal, environmental, fiduciary,
quantitative improvement of IT processes security and privacy requirements

Management of IT
GEIT Frameworks
The control environment of the organization, the Several frameworks provide standards for GEIT,
inherent risk present, and IT investment and including:
expenditure must also be assessed. o COBIT 5
o ISO/IEC 27001
o Information Technology Infrastructure Library
o IT Baseline Protection Catalogs or
IT-Grundschutz Catalogs
Enterprise Architecture
Enterprise architecture (EA) is a practice EA can be approached from one of two differing
perspectives, as follows:
assets in a structured manner. o Technology-driven EA Seeks to clarify the
EA facilitates the understanding of, management complex technology choices faced by an
of, and planning for IT investments through organization in order to provide guidance on
comparison of the current state and an the implementation of various solutions.
optimized future state. o Business-driven EA Attempts to understand
the organization in terms of its core
processes, and derive the optimum mix of
technologies needed to support these
processes.

Management of IT
In the Big Picture Discussion Question

Which of the following choices is the PRIMARY benefit of
requiring a steering committee to oversee IT investment?
A. To conduct a feasibility study to demonstrate IT
The Big value
Task 2.1 Picture
Evaluate the IT strategy, including the B. To ensure that investments are made according to
business requirements
The IS auditor provides
IT direction, and the processes for the
critical evaluation
implementation and maintenance for
feedback as to the
effective maintenance of
C. To ensure that proper security controls are enforced
strategies and objectives. D. To ensure that a standard development methodology
is implemented
alignment with stated
goals and objectives.
Discussion Question Task 2.2

As an outcome of information security governance,
strategic alignment provides:
A. security requirements driven by enterprise
requirements. Evaluate the effectiveness of the IT
B. baseline security following good practices. governance structure to determine
C. institutionalized and commoditized solutions. whether IT decisions, directions and
D. an understanding of risk exposure.
strategies and objectives.

Management of IT

Governance Ensuring that stakeholder needs,
conditions and options are evaluated to Knowledge Statement Connection
determine balanced, agreed-on enterprise K2.2 Knowledge of IT governance, The IS auditor must understand
objectives to be achieved; setting direction management, security and control goals and
through prioritization and decision making; frameworks and related standards, objectives flow down to senior
and monitoring performance and guidelines and practices management for the development
of strategies, policies directing the
compliance against agreed-on direction implementation of these
and objectives strategies, and standards for the
desired performance of the
enterprise.
IT Governing Committees
How does Task 2.2 relate to each of the following Organizations often have executive-level
knowledge statements? strategy and steering committees to handle
Knowledge Statement Connection organization-wide IT issues.
K2.4 Evaluate Without processes in place to The IS auditor should know the responsibilities
IT policies, standards and develop and maintain an
procedures, and the processes for policies, standards of, authority possessed by and membership of
their development, approval, and procedures, these guiding such committees.
release/publishing, implementation documents will not remain in
and maintenance to determine alignment with existing and
whether they support the IT emerging strategy goals, and
strategy and comply with objectives and regulatory
regulatory and legal requirements. requirements.

Management of IT
IT Committee Analysis Security: A Governance Issue

Level IT Strategy Committee IT Steering Committee Information security has become a significant
Responsibility Provides insight and Decides the level and allocation governance issue due to:
advice to the board across of IT spending, aligns and
a range of IT topics
o Global networking
architecture, and other o Rapid technological innovation and change
oversight functions.
o Increase in threat agent sophistication
Authority Advises the board and Assists the executive in the
management on IT delivery of IT strategy, o Extension of organizations beyond their traditional
strategy, focusing on overseeing management of IT boundaries
current and future strategic service delivery, projects and
IT issues implementation As a result of these, negligence in the area of
Membership Includes board members Includes sponsoring executive,
and specialist non-board business executive (key users), to take advantage of IT opportunities while also
members chief information officer (CIO)
and key advisors, as required mitigating risk.
Source: ISACA, CISA Review Manual 26th Edition, figure 2.4
Information Security
Information security governance is the responsibility of The information security governance framework will
the board of directors and executive management. generally consist of:
Information security governance is a subset of corporate o A security strategy linked with business objectives
governance, providing strategic direction for security o Security policies that address strategy, controls and
activities and ensuring that objectives are achieved. regulation
An information security program comprises the o Standards to ensure that procedures and guidelines
leadership, organizational structures and the processes comply with policies
that safeguard information. o An effective security organizational structure without
conflicts of interest
o Monitoring procedures to ensure compliance and
provide feedback on effectiveness

Management of IT
Sourcing Practices
Sourcing practices relate to the way in which the The functions may be performed across the globe in a
enterprise obtains the IT functions required to support variety of arrangements, including:
the business. o Onsite Staff works onsite in the IT department.
These functions may be performed: o Offsite Staff works at a remote location in the same
o - geographical region.
o o Offshore Staff works at a remote location in a
o By a mix of both insourced and outsourced methods different geographical region.
Cloud Computing Issues in Service Models

Cloud-based computing brings specific issues, including: Infrastructure as a Service (IaaS)
o A lack of agreed-upon definitions. Options to minimize the impact if the cloud provider has a service interruption
o Various models describing cloud computing result in
Platform as a Service (PaaS)
differing risk and benefits.
Availability, confidentiality
o Additional legal requirements may pertain to cloud Privacy and legal liability in the event of a security breach
storage. Data ownership
Concerns regarding e-discovery
Several service models and deployment methods are
Software as a Service (SaaS)
applied to cloud computing; each of these raise specific
Who owns the applications?
considerations. Where do the applications reside?

Management of IT
Issues in Deployment Models In the Big Picture

Private cloud Operated solely for an organization
Provides cloud services with minimum risk, but may not provide the scalability and agility of
public cloud services
Community cloud Shared by several organizations

The Big
Task 2.2 Picture
Same as private cloud services, plus data may be stored with the data of competitors
Public cloud Owned by an organization selling cloud services Evaluate the effectiveness of the IT The governance structure
Data may be stored with the data of competitors governance structure to determine enables the organization
Data may be stored in unknown locations whether IT decisions, directions and to remain agile and in
Data may not be easily retrievable alignment with current and
Hybrid cloud Binding of two or more cloud deployment types strategies and objectives. emerging goals and
objectives.
Data labeling and classification beneficial to ensure assignment to correct cloud type
Aggregate risk of merging different deployment models
Discussion Question Discussion Question

An IS auditor is evaluating the IT governance framework of Which of the following IT governance good practices
an organization. Which of the following would be the improves strategic alignment?
GREATEST concern? A. Supplier and partner risk is managed.
A. Senior management has limited involvement. B. A knowledge base on customers, products, markets
B. Return on investment (ROI) is not measured. and processes is in place.
C. Chargeback of IT cost is not consistent. C. A structure is provided that facilitates the creation
D. Risk appetite is not quantified. and sharing of business information.
D. Top management mediates between the imperatives
of business and technology.

Management of IT
Task 2.3 Key Terms

Key Term Definition
IT architecture Description of the fundamental underlying design
of the IT components of the business, the
relationships among them, and the manner in
Evaluate IT organizational structure and
human resources (personnel)
Segregation A basic internal control that prevents or detects
(separation) of errors and irregularities by assigning to separate
management to determine whether they duties (SoD) individuals the responsibility for initiating and
recording transactions and for the custody of
assets
objectives.
Task to Knowledge Statements

How does Task 2.3 relate to each of the following How does Task 2.3 relate to each of the following
knowledge statements? knowledge statements?
Knowledge Statement Connection Knowledge Statement Connection
K2.3 Knowledge of organizational IS auditors must understand how K2.9 Knowledge of IT resource During evaluation of the
structure, roles and responsibilities assignment of duties could lead to investment and allocation governance of enterprise IT, the IS
related to IT, including segregation vulnerabilities within the enterprise practices, including prioritization auditor must focus on how critical
of duties (SoD) due to individuals gaining criteria (e.g., portfolio IT resource investments and
privileges that could lead to management, value management, allocations delivered the required
uncontrolled and/or unauthorized personnel management) value and are in alignment with
access, creation, modification and organizational goals and
destruction of data and systems. objectives.

Management of IT
HR Management IT Organizational Structure

Within an organization, the IT department can be
structured in a variety of ways.
Recruiting Selecting Training An organizational chart provides a clear definition of a
The IS auditor should compare observed roles and

Promoting
Measuring
Discipline responsibilities with formal organizational structures and
performance job descriptions.
Staff Mandatory Succession

retention leave planning
IT Functions
Generally, the following IT functions should be reviewed Additionally, these functions should be reviewed by the IS
by the IS auditor: auditor:
o Systems development management o Vendor and outsourcer management
o Project management o Infrastructure operations and maintenance
o Help or service desk administration o Removable media management
o End-user activities and their management o Data entry
o Data management o Supervisory control and data acquisition
o Quality assurance management o Systems and security administration
o Database administration
o Information security management
o Applications and infrastructure development and
maintenance
o Network management

Management of IT
Segregation of IT Duties SoD Guidelines

While actual job titles and organizational structures vary Duties that should be segregated include:
across enterprises, an IS auditor must obtain enough o Asset custody
information to understand and document the o Authorization capability
relationships among various job functions,
responsibilities and authorities. o Transaction recording
The IS auditor must also assess the adequacy of SoD. Both IS and end-user departments should be organized
to meet SoD policies.
SoD limits the possibility that a single person will be
responsible for functions in such a way that errors or
misappropriations could occur undetected.
SoD is an important method to discourage and prevent
fraudulent or malicious acts.
SoD Change Management

If adequate SoD does not exist, the following may occur Organizational change management uses a defined and
with a lower likelihood of detection: documented process to identify and apply technology
o Misappropriation of assets improvements at both the infrastructure and application
o Misstated financial statements levels.
o Inaccurate financial documentation (due to errors or The IT department is the focal point for such changes
irregularities) and leads or facilitates the changes with senior
management support.
o Improper use of funds or modification of data
Communication is an important component of change
o Unauthorized or erroneous modification of programs management, and end-users must be informed of the
impact and benefits of changes.

Management of IT

An IS auditor reviewing an organization that uses cross-
training practices should assess the risk of:
A. dependency on a single person.
The Big Picture B. inadequate succession planning.
Task 2.3 The IS auditor must
understand the need to C. one person knowing all parts of a system.
Evaluate IT organizational structure derive the greatest value
and human resources (personnel) from IT resources and at D. a disruption of operations.
management to determine whether the same time ensure
controls are in place to
strategies and objectives. prevent loss and maximize
use of IT resources.

Which of the following controls would an IS auditor look for
in an environment where duties cannot be appropriately
segregated?
A. Overlapping controls
B. Boundary controls standards and procedures and the processes
C. Access controls for their development, approval,
D. Compensating controls release/publishing, implementation and
maintenance to determine whether they
support the IT strategy and comply with
regulatory and legal requirements.

Management of IT
Key Terms
Key Term Definition Key Term Definition
Policy 1. Generally, a document that records a Process Generally, a collection of activities influenced
high-level principle or course of action that
has been decided on. that takes inputs from a number of sources
2. An overall intention and direction as (including other processes), manipulates the
formally expressed by management. inputs and produces outputs
Procedure A document containing a detailed description Regulatory Rules or laws that regulate conduct and that
of the steps necessary to perform specific requirements the enterprise must obey to become compliant
operations in conformance with applicable
standards. Procedures are defined as part of
processes.

K2.1 Knowledge of the purpose of IT The IS auditor needs to understand K2.3 Knowledge of organizational In-line with understanding strategy,
strategy, policies, standards and the key differences between strategy, structure, roles and responsibilities policies, standards and procedures,
procedures for an organization and policies, procedures and standards related to IT, including segregation of the IS auditor must understand how
the essential elements of each and how all of these are integrated duties (SoD) these governance structures affect the
into the methods to provide organizational structures, especially
reasonable assurance that business the required roles and responsibilities
objectives will be attained. related to IT.

Management of IT
IS Strategy
How does Task 2.4 relate to each of the following Information systems support, sustain and help to grow
knowledge statements? enterprises.
Knowledge Statement Connection IS strategic processes can be seen as:
K2.6 Knowledge of the processes for The IS auditor must understand the o Integral components of the organizational governance
the development, implementation and life cycle of organizational IT structure
maintenance of IT strategy, policies, strategies, policies, standards and
standards and procedures procedures. o Methods to provide reasonable assurance that
business objectives may be attained
o A facilitator for the enhancement of competitive
advantage
Policies
Corporate policies are high-level documents that set the
tone for an organization as a whole. auditors should use the policies as a benchmark for
Departmental or division-level policies define lower-level evaluating compliance.
goals and directives. The IS auditor must also consider whether and to what
Policies are part of the IS audit scope and should be extent policies pertain to third parties and outsourcers,
tested for compliance. whether these parties comply with the policies and
whether the policies of these parties conflict with those of
the organization.

Management of IT
Standards
Corporate standards are documents that set the specific IS hardening and service levels should be in alignment
criteria to which items conform. with applicable standards, and auditors should use the
Departmental or division-level IT system standards standards as a benchmark for evaluating compliance.
define the specific level of configuration and Like policies, the IS auditor must also consider whether
performance benchmarks. and to what extent standards pertain to third parties and
Standards are part of the IS audit scope and should be outsourcers, whether these parties comply with the
tested for compliance. standards and whether the standards of these parties
conflict with those of the organization.
Procedures Information Security Policy

The documented, defined steps in procedures aid in A security policy for information and related technology is
achieving policy objectives. a first step toward building the security infrastructure for
Procedures documenting business and aligned IT technology-driven organizations.
processes and their embedded controls are formulated It communicates a coherent security standard to users,
by process owners. management and technical staff.
To be effective, procedures must: This policy should be used by IS auditors as a reference
o Be frequently reviewed and updated framework for performing audit assignments.
o Be communicated to those affected by them The adequacy and appropriateness of the policy is also
An IS auditor examines procedures to identify and an area of review during an IS audit.
evaluate controls to ensure that control objectives are
met.

Management of IT
Policy Components In the Big Picture

The information security policy may comprise a set of policies,
generally addressing the following concerns:
o High-level information security policy Includes
statements on confidentiality, integrity and availability Task 2.4 The Big
o Data classification policy Provides classifications and Picture
levels of control at each classification standards and procedures and the
The IS auditor must
processes for their development,
o End-user computing policy Identifies the parameters approval, release/publishing,
understand the lifecycle
and construct of IT
and usage of desktop, mobile and other tools implementation and maintenance to
strategies, policies,
determine whether they support the IT
o Access control policy Describes methods for defining strategy and comply with regulatory
standards and
procedures.
and granting access to users of various IT resources and legal requirements.
o Acceptable use policy (AUP) Controls the use of

information system resources through defining how IT
resources may be used by employees

When auditing the IT governance framework and IT risk
management practices that exist within an organization, the communications, the IS auditor should pay the MOST
IS auditor identified some undefined responsibilities attention to:
regarding IT management and governance roles. Which of A. the existence of a data retention policy.
the following recommendations is the MOST appropriate?
B. the storage capacity of the archiving solution.
A. Review the strategic alignment of IT with the C. the level of user awareness concerning email use.
business.
D. the support and stability of the archiving solution
B. Implement accountability rules within the manufacturer.
organization.
C. Ensure that independent IS audits are conducted
periodically.
D. Create a chief risk officer (CRO) role in the
organization.

Management of IT
Task 2.5 Key Terms

Key Term Definition
IT resources IT resources consist of the hardware,
software, firmware, services and human
Evaluate IT resource management, capital.
including investment, prioritization,
allocation and use, for alignment with the

The IS auditor must understand and K2.9 Knowledge of IT resource The IS auditor must understand and
technology direction and IT evaluate the effective alignment of IT investment and allocation practices, evaluate the effective management
architecture and their implications for technology and acquisition planning including prioritization criteria (e.g., and alignment of the IT resource
setting long-term strategic directions with organizational goals and portfolio management, value portfolio to ensure these resources
objectives. management, personnel deliver value and remain aligned with
management) organizational goals and objectives.

Management of IT
K2.10 Knowledge of IT supplier IT vendor and contract statement of K2.12 Knowledge of practices for The IS auditor will find that successful
selection, contract management, work, and respective terms and monitoring and reporting of controls IT governance relies on continuous
relationship management and conditions must be evaluated to performance (e.g., continuous feedback processes to ensure
performance monitoring processes, ensure required value and technical monitoring and quality assurance organizational goals and objectives
including third-party outsourcing performance measures are attained. [QA]) are being met.
relationships
IT Balanced Scorecard
How does Task 2.5 relate to each of the following The IT balanced scorecard (BSC) is a management
knowledge statements? evaluation technique that can be applied to the GEIT
process.
Knowledge Statement Connection
K2.14 Knowledge of practices for The IS auditor will evaluate and use
It goes beyond traditional financial evaluation by
monitoring and reporting of IT the key performance indicators measuring:
performance (e.g., balanced
scorecards [BSCs] and key
established and maintained that
become the basis for reporting during
o Customer (or user) satisfaction
performance indicators [KPIs]) continuous monitoring feedback on IT o Internal operational processes
governance effectiveness.
o The ability to innovate

Management of IT
Example of an IT BSC
IT BSC objectives serve to: Generic IT Balanced Scorecard
o Establish a method for management reporting to the Business Contribution
board.
How does management view the IT
department?
Mission
o Foster consensus among stakeholders about IT

To obtain a reasonable business
contribution from IT investments
Objectives
Cause
strategic aims.
Business/IT alignment Effect
Value Delivery
User Orientation Cost management Future Orientation
o Demonstrate the effectiveness of IT.

How do users view the IT department? Risk management How well is IT positioned to meet future
Mission needs?
To be the preferred supplier of Mission
o Facilitate communication about the performance, risk

information systems To develop opportunities to answer
Objectives
Preferred supplier of applications and
IT BSC future challenges
Objectives
and capabilities of IT.

operations Training and education of IT staff
Partnership with users Expertise of IT staff
User satisfaction Research into emerging technologies
Operational Excellence
How effective and efficient are the IT
processes?
Mission
To deliver effective and efficient IT
applications and services
Objectives
Efficient and effective developments
Efficient and effective operations
Maturity level of IT processes
Source: ISACA, IT Governance Domain Practices and Competencies: Measuring and Demonstrating the Value of IT, USA, 2005, figure 7
Return on IT Investment Software Development

An IS auditor should understand the requirements associated
and allocation practices to determine whether the enterprise is with accounting for the costs of software development.
positioned to achieve the greatest value from the investment These requirements are outlined by the International
of its resources. Accounting Standards Board (IASB) and the AICPA, and
The return on investment (ROI) for IT is both financial and dictate the circumstances under which development costs
nonfinancial. must be capitalized.
o Financial benefits can include impacts on the There is some variation in the interpretations of such rules, so
the IS auditor is advised to obtain guidance from the
reductions or revenue increases. chartered accountants responsible for financial reporting.
o Nonfinancial benefits can include impacts on
organizational operations or mission performance, in
addition to results, such as improved customer
satisfaction, better information and shorter cycle times.

Management of IT

Which of the following situations is addressed by a
software escrow agreement?
A. The system administrator requires access to
The Big software to recover from a disaster.
Task 2.5 Picture B. A user requests to have software reloaded onto a
replacement hard drive.
Evaluate IT resource management, IS auditors must
including investment, prioritization, understand the
allocation and use, for alignment with development and use of
measures needed to
C. The vendor of custom-written software goes out of
objectives. evaluate IT resource business.
D. An IS auditor requires access to software code
portfolio management
activities.
written by the organization.

Which of the following is the MOST important IS audit
consideration when an organization outsources a customer
credit review system to a third-party service provider? The
provider:
A. claims to meet or exceed industry security standards. Evaluate IT portfolio management,
B. agrees to be subject to external security reviews. including investment, prioritization and
C. has a good market reputation for service and allocation, for alignment with the
experience.
D. complies with security policies of the organization.

Management of IT

IT portfolio A grouping of "objects of interest" (investment knowledge statements?
programs, IT services, IT projects, other IT assets
or resources) managed and monitored to optimize
business value. (The investment portfolio is of K2.7 Knowledge of the use of The IS auditor must understand
primary interest to Val IT. IT service, project, asset capability and maturity models maturity model concepts, use and
and other resource portfolios are of primary capabilities in order to provide an
aggregated measure of IT portfolio
interest to COBIT.)
performance.
K2.8 Knowledge of process From scoping through reporting, the IS
optimization techniques auditor will use the knowledge of
quality standards, such as quality
management and performance
management, to drive value from the
IS audit process.
K2.9 Knowledge of IT resource Awareness of current practices in IT K2.12 Knowledge of practices for Adoption of good practices for control
investment and allocation practices, investment and resource allocation, monitoring and reporting of controls performance monitoring and reporting
including prioritization criteria (e.g., role of financial management practices performance (e.g., continuous to include balanced scorecard and
portfolio management, value and HR processes and policies on IT monitoring and quality assurance KPIs in driving performance
management, personnel governance in IT portfolio [QA]) optimization
management) management K2.14 Knowledge of practices for Concepts related to establishing,
K2.10 Knowledge of IT supplier Relationship between vendor monitoring and reporting of IT monitoring and reporting processes
selection, contract management, management and IT governance of performance (e.g., balanced needed by the governance team to
relationship management and the outsourcing entity to meet and scorecards [BSCs] and key evaluate performance and provide
performance monitoring processes, stay aligned with goals and objectives performance indicators [KPIs]) direction to senior management
including third-party outsourcing
relationships

Management of IT
IT Portfolio Management
IT portfolio management is distinct from IT financial The most significant advantage of IT portfolio
management. management is agility in adjusting investments based on
It has a strategic goal in determining IT direction toward: built-in feedback mechanisms.
o What the enterprise will begin to invest in Implementation methods include:
o What the enterprise will continue to invest in o Risk profile analysis
o What the enterprise will divest o Diversification of projects, infrastructure and
Key governance practices in IT portfolio management technologies
include the evaluation, direction and monitoring of value o Continuous alignment with business goals
optimization. o Continuous improvement

After the merger of two organizations, multiple self-developed
legacy applications from both organizations are to be replaced
by a new common platform. Which of the following would be the
GREATEST risk?
The Big A. Project management and progress reporting is combined in a
Task 2.6 Picture project management office which is driven by external
Evaluate IT portfolio management, The IS auditor must consultants.
including investment, prioritization and
allocation, for alignment with the
understand the key
toolsets an organization
B. The replacement effort consists of several independent
must employ to ensure projects without integrating the resource allocation in a
objectives. value delivery on the IT portfolio management approach.
portfolio.
C. The resources of each of the organizations are inefficiently
allocated while they are being familiarized with the other
D. The new platform will force the business areas of both

organizations to change their work processes, which will
result in extensive training needs.

Management of IT

To gain an understanding of the effectiveness of an
IT assets, an IS auditor should review the:

A. enterprise data model.
B. IT balanced scorecard (BSC). Evaluate risk management practices to
C. IT organizational structure.
D. historical financial statements. IT-related risks are identified, assessed,
monitored, reported and managed.

IT risk The business risk associated with the use, ownership, knowledge statements?
operation, involvement, influence and adoption of IT
within an enterprise. Knowledge Statement Connection
Risk management 1. The coordinated activities to direct and control an K2.11 Knowledge of enterprise risk Risk management process and
enterprise with regard to risk. management (ERM) applying various risk analysis
2. One of the governance objectives. Entails methods.
recognizing risk; assessing the impact and likelihood K2.15 Knowledge of business impact An IS auditor must be able to
of that risk; and developing strategies, such as analysis (BIA) determine whether a BIA and BCP are
avoiding the risk, reducing the negative effect of the suitably aligned.
risk and/or transferring the risk, to manage it within

Management of IT
Risk Management
The process of risk management focuses on an Four possible responses to risk are:
o Avoidance elimination of the cause of the risk
To be effective, the process must begin with an o Mitigation
occurrence or of its impact
o Transfer sharing of risk with partners, such as
through insurance or joint ventures
o Acceptance formal acknowledgment of the
presence of risk with a commitment to monitor it
A fifth response, rejection of risk through choosing to
ignore it, is not considered effective risk management.
The presence of this risk response should be a red flag
for the IS auditor.
Risk Management Program Risk Analysis Methods

Risk analysis is defined as a process by which frequency and
Asset Identification magnitude of IT risk scenarios are estimated.
Identify resources or assets that are
vulnerable to threats.
Objective: Three methods may be employed during risk analysis:
A cost- o Qualitative analysis methods Descriptive rankings are used to
Threat Assessment Determine threats and vulnerabilities
associated with the asset.
effective describe risk likelihood and impact.
balance
o Semi-quantitative analysis methods Descriptive rankings are
between
Impact Evaluation Describe what will happen should a significant associated with numeric values.
vulnerability be exploited.
threats and o Quantitative analysis methods Numeric values, for example,
the in the form of financial costs, are used to describe risk likelihood
Risk Calculation Form an overall view of risk, based on the
application and impact.
probability of occurrence and the magnitude
of impact. of controls
Each of the three methods offers a perspective on risk, but it is
to those
Risk Response Evaluate existing controls and implement threats. important to acknowledge the assumptions incorporated into each
new controls designed to bring residual risk
into alignment with enterprise risk appetite. risk analysis.

Management of IT
Business Impact Analysis In the Big Picture

BIA is a process used to determine the impact of losing the support
of any resource.
It is an important adjunct to the risk analysis, often uncovering vital
The Big
but less visible components that support critical processes.
Three primary questions must be considered during a BIA process:
o What are the different business processes? Task 2.7 Picture
Evaluate risk management practices to Critical to any IS audit is
o What are the critical information resources related to an maintaining a clear
IT-related risks are identified, understanding of the
assessed, monitored, reported and enterprise risks associated
o In the event of an impact on critical business processes, under managed. with the IT governance
what time frame will significant or unacceptable losses be through day-to-day
sustained? operations.
The IS auditor should be able to evaluate the BIA, requiring a
knowledge of BIA development methods.

Which of the following factors should an IS auditor
PRIMARILY focus on when determining the appropriate reciprocal agreement, which of the following risk treatment
level of protection for an information asset? approaches is being applied?
A. Results of a risk assessment A. Transfer
B. Relative value to the business B. Mitigation
C. Results of a vulnerability assessment C. Avoidance
D. Cost of security controls D. Acceptance

Management of IT
Task 2.8 Key Terms

Key Term Definition
Continuous auditing This approach allows IS auditors to monitor system
approach reliability on a continuous basis and to gather selective
Evaluate IT management and monitoring

audit evidence through the computer.
Control The means of managing risk, including policies,
of controls (e.g., continuous monitoring procedures, guidelines, practices or organizational
and quality assurance [QA]) for

structures, which can be of an administrative, technical,
management or legal nature. Also used as a synonym
for safeguard or countermeasure.
Quality assurance A planned and systematic pattern of all actions
policies, standards and procedures. necessary to provide adequate confidence that an item
or product conforms to established technical
requirements. (ISO/IEC 24765)

K2.6 Knowledge of the processes for Impact of legislative requirements on K2.13 Knowledge of quality Understanding of structures, roles and
the development, implementation and management and quality assurance responsibilities of the QA function with
maintenance of IT strategy, policies, procedures and processes (QA) systems the enterprise and the use of key
standards and procedures performance indicators (KPIs) in
K2.7 Knowledge of the use of Understanding management driving performance optimization for
capability and maturity models techniques to continuously improve IT effective IT governance
performance K2.14 Knowledge of practices for Concepts related to establishing,
K2.8 Knowledge of process Role of quality management in monitoring and reporting of IT monitoring and reporting processes
optimization techniques bridging the gap between current performance (e.g., balanced needed by the governance team to
state and desired state scorecards [BSCs] and key evaluate performance and provide
performance indicators [KPIs]) direction to senior management

Management of IT
Process Maturity Frameworks The PDCA Method

Maintaining consistency, efficiency and effectiveness of IT
processes requires the implementation of a process maturity
framework.
Do Act
Several different models may be encountered in
organizations, including: Establish Study results
objectives and
o COBIT Process Assessment Model (PAM) defines the processes Implement the
plan, collecting
step, looking for Analyze
deviations and
minimum requirements for conducting an assessment to
needed to deliver deviations from
desired results. data for charting desired results. request corrective
Plan Check
and analysis. actions.
ensure reliable results
o IDEAL model designed to guide the planning and
implementation of effective software improvement
o CMMI provides the essential elements of effective
processes; used as a guide to process improvement
across a project, division or organization
Quality Management Indicators of Problems

The development and maintenance of defined and
documented IT quality management processes is
Unfavorable
evidence of effective GEIT. end-user Excessive costs Budget overruns
Quality management defines a set of tasks that produce attitudes
desired results when properly performed.
Various standards provide guidelines for the governance High staff Inexperienced
of quality management, including those in ISO/IEC Late payments
turnover staff
27000.
The IS auditor should be aware of quality management.
Frequent Excessive
However, the CISA exam does not test specifics on any hardware or backlog of user
Slow computer
ISO standards. response time
software errors requests

Management of IT
Indicators of Problems Reviewing Documentation

During an IS audit, these documents should be reviewed:
Numerous Unsupported Frequent o IT strategies, plans and budgets
suspended hardware/ hardware/ o Security policy documentation
development software software
projects purchases purchases o Organization/functional charts and job descriptions
o IT steering committee reports
Extensive Low follow-up o System development and program change procedures
exception on exception Poor motivation o Operations procedures
reports reports
o HR manuals
o QA procedures
Absence of Overreliance on Lack of
succession one or two key adequate It should be determined whether these documents:
plans people training o Were created as management authorized and intended
o Are current and up to date
Reviewing Contracts In the Big Picture

Each of the various phases of computer hardware,
software and IT service contracts should be supported
by service contracts.
The IS auditor should: The Big
o Verify management participation in the contracting Task 2.8 Picture
process.
Evaluate IT management and As a foundation to proper
monitoring of controls (e.g., continuous governance of enterprise
o Ensure the presence of timely contract compliance monitoring and quality assurance [QA]) IT, the IS auditor needs to
see how management is
review. policies, standards and procedures. measuring compliance
o Evaluate the adequacy of various contract terms and

with policies and
regulations.
conditions.
o Be familiar with the request for proposal (RFP)
process.

Management of IT

An IS auditor is performing a review of the software quality When developing a formal enterprise security program, the
management process in an organization. The FIRST step MOST critical success factor (CSF) would be the:
should be to: A. establishment of a review board.
A. verify how the organization follows the standards. B. creation of a security unit.
B. identify and report the controls currently in place. C. effective support of an executive sponsor.
C. review the metrics for quality evaluation. D. selection of a security process owner.
D. request all standards that have been adopted by the
organization.
Task 2.9 Key Terms

Key Term Definition
Key performance A measure that determines how well the process is
indicator (KPI) performing in enabling the goal to be reached. A
lead indicator of whether a goal will likely be
Evaluate monitoring and reporting of IT reached, and a good indicator of capabilities,
key performance indicators (KPIs) to

practices and skills. It measures an activity goal,
which is an action that the process owner must
determine whether management receives take to achieve effective process performance.
sufficient and timely information.

Management of IT

K2.10 Knowledge of IT supplier Relationship between vendor K2.14 Knowledge of practices for Understanding and using concepts
selection, contract management, management and contractual monitoring and reporting of IT and techniques related to
relationship management and terms and their impact on driving performance (e.g., balanced establishing, monitoring and
performance monitoring IT governance of the outsourcing scorecards [BSCs] and key reporting processes needed by the
processes, including third-party entity performance indicators [KPIs]) governance team to evaluate
outsourcing relationships performance and provide direction
K2.11 Knowledge of enterprise Risk analysis methods used in to senior management
risk management (ERM) aligning ERM with the results from
monitoring and reporting of IT
KPIs
Financial Management Performance Optimization

The IS budget allows for an adequate allocation of funds Performance optimization is the process of improving
and for forecasting, monitoring and analyzing financial both perceived service performance while bringing IS
information. productivity to the highest level possible.
The budget should be linked to short- and long-range IT Ideally, this productivity will be gained without excessive
plans. additional investment in the IT infrastructure.
- Effective performance measures are used to create and
monitoring of IS expenses and resources. facilitate action to improve both performance and GEIT.
o In this arrangement, end users are charged for costs These depend upon:
of IS services they receive. o The clear definition of performance goals
o These charges are based on a standard formula and o The establishment of effective metrics to monitor goal
include such IS services as staff time, computer time achievement
and other relevant costs.

Management of IT
Tools and Techniques

Several tools and techniques can be employed to
Six Sigma A quantitative process analysis, defect reduction and
facilitate performance measurement, ensure good improvement approach
communication and support organizational change. IT BSC A process management evaluation technique that can be
These include:
effectively applied to assess IT functions and processes
o Six Sigma KPI A measure that determines how well a process is

performing in enabling a goal to be reached
o IT BSC
Benchmarking A systematic approach to comparing enterprise
o KPIs performance against competitors to learn methods
o Benchmarking BPR The thorough analysis and redesign of business processes

to establish a better performing structure with cost savings
o Business process reengineering (BPR)
o Root cause analysis Root Cause Analysis The process of diagnosis to establish the origins of events
so that controls can be developed to address these causes
o Life cycle cost-benefit analysis

Life Cycle Cost-benefit Assessment of life cycle, life cycle cost and benefit analysis
to determine strategic direction for IT systems

While reviewing a quality management system (QMS) the
IS auditor should PRIMARILY focus on collecting evidence
to show that:
The Big A. quality management systems (QMSs) comply with
Task 2.9 Picture good practices.
B. continuous improvement targets are being
Evaluate monitoring and reporting of IT Only through timely,
key performance indicators (KPIs) to objective measurement
determine whether management processes can the IS monitored.
receives sufficient and timely auditor truly determine if
information. management has the C. standard operating procedures of IT are updated
relevant information to
manage GEIT.
annually.
D. key performance indicators (KPIs) are defined.

Management of IT

Before implementing an IT balanced scorecard (BSC), an
organization must:
A. deliver effective and efficient services.
B. define key performance indicators. continuity plan (BCP), including the
C. provide business value to IT projects. alignment of the IT disaster recovery plan
D. control IT expenses. (DRP) with the BCP, to determine the
essential business operations during the

period of an IT disruption.

Business continuity Preventing, mitigating and recovering from disruption. knowledge statements?
be used in this context. They focus on recovery aspects K2.11 Knowledge of enterprise risk Understanding both the organizational
management (ERM) risk appetite and cost-benefit analysis,
should also be taken into account. where the risk appetite is not
Business continuity A plan used by an enterprise to respond to disruption of exceeded and the benefits derived
plan (BCP) critical business processes; depends on the contingency from the risk mitigation do not exceed
plan for restoration of critical systems. the cost of the control
Disaster recovery A set of human, physical, technical and procedural K2.15 Knowledge of business impact Understanding the BIA as a key driver
plan (DRP) resources to recover, within a defined time and cost, an analysis (BIA) of the BCP/disaster recovery process
activity interrupted by an emergency or disaster.

Management of IT
Policy Management
How does Task 2.10 relate to each of the following The management of information security ensures that an
process the information are properly protected.
K2.16 Knowledge of the standards Understanding the life cycle of
An information security program is established through:
and procedures for the development, BCP/DRP development and o Assessing the risk to IT assets
maintenance and testing of the maintenance
business continuity plan (BCP) o Mitigating the risk to a level determined by
K2.17 Knowledge of procedures used Understanding how the BIA defines management
to invoke and execute the business the triggers to initiate the various o Monitoring remaining residual risk
continuity plan and return to normal actions within the BCP/DRP
operations
Business Continuity Planning

Information security management programs include the In the event of a disruption of normal business
development of the following, as related to IT department operations, BCP and DRP can allow critical processes to
functions in support of critical business processes: carry on.
o BIA Responsibility for the BCP rests with senior
o BCP management, but its execution usually lies with business
o DRP and supporting units.
The plan should address all functions and assets that will
be required to continue as a viable operation
immediately after encountering an interruption and while
recovery is taking place.

Management of IT
Disaster Management The BCP and DRP

An IT DRP is a structured collection of processes and The DRP is a part of the BCP.
procedures designed to speed response and ensure It outlines the restoration plan that will be used to return
business continuity in the event of a disaster. operations to a normal state.
Various roles and responsibilities for teams are defined In general, a single integrated plan is recommended to
in the DRP. ensure that:
The IS auditor should have knowledge of team o Coordination between various plan components
responsibilities, which are likely to vary from organization supports response and recovery.
to organization. o Resources are used in the most effective way.
o Reasonable confidence can be maintained that the
enterprise will survive a disruption.
IT BCP BCP Process

IT service continuity is often critical to the The BCP process can be divided into life cycle phases, as shown here.
organization, and developing and testing an Business Continuity Planning Life Cycle
information system BCP/DRP is a major component BC
of enterprise-wide continuity planning.

Project Planning BC Plan Monitoring,
(BC Policy, Project Maintenance and Plan
Scope) Updating Testing
Points of vulnerability are identified and considered BC
during the risk assessment process.

Awareness
Training
Risk Assessment
The potential for harm from these can be quantified

and Analysis
through a BIA. BC
Plan
Development
Business
BC Strategy
Impact
Development Strategy
Analysis
Execution (Risk
Countermeasures
Implementation)

Management of IT
Disasters and Disruptions Business Continuity Policy

Disasters are likely to require recovery efforts to A business continuity policy should be proactive,
restore the operational status of information resources. delivering the message that all possible controls to both
Categories of disasters include: detect and prevent disruptions should be used.
o Natural calamities The policy is a document approved by top management;
o Pandemics, epidemics or other infectious outbreaks it serves several purposes:
o Utility disruptions o It carries a message to internal stakeholders that the
o Actions by humans, whether intentionally harmful or organization is committed to business continuity.
through error o As a statement to the organization, it empowers those
o Hardware or software malfunctions who are responsible for business continuity.
o Incidents causing damage to image, reputation or o It communicates to external stakeholders that
brand obligations, such as service delivery and compliance,
Some events are unforeseeable. These are referred to are being taken seriously.
Incident Mitigation BCP Incident Management

By their nature, incidents and crises often unfold dynamically
Incident and Impact Relationship Diagram and rapidly in unforeseeable directions.
Management of such situations requires a proactive approach
Reduce the Likelihood Mitigate the Consequences
and supporting documentation.
Infrastructure
All incidents should be classified at one of the following levels:
o Negligible causing no perceptible damage
Monitoring
Backup and
Capacity Detective Recovery
o Minor producing no negative financial or material impact

Management Controls
Incident
o Major causing a negative material impact on business

Management (Help BCP or IT
Desk) DRP
processes; possible effects on other systems, departments

Controls (Risk Corrective
or outside stakeholders
Countermeasure) Controls Special Clauses
Spare Processing in
o Crisis resulting in serious material impact on the

Site Vendor/Supplier
Contracts
Preventive
continued functioning of the enterprise and its

Risk
Management Controls UPS or Power
stakeholders
Configuration Generator
Management
Note that the classification of an incident can change as

events proceed.

Management of IT
BCP Plan Components Plan Testing

The BCP should include: The critical components of a BCP should be tested
under simulated conditions to accomplish objectives
such as these:
Continuity of Disaster recovery Business o Verify the accuracy of the BCP.
operations plan plan resumption plan
o Evaluate the performance of involved personnel.
o Evaluate coordination among response team
It may also include: members and external parties.
IT contingency
Crisis
communications
Incident Transportation o Measure the ability and capacity of any backup site to
perform as expected.
plan response plan plan
plan
Assessing the results and value of the BCP tests is an

Occupant
emergency plan
Evacuation plan
Emergency
relocation plan
important responsibility for the IS auditor.
Auditing Business Continuity BCP Audit Review

When auditing business continuity, the IS auditor must
complete a number of tasks, for example:
o Understanding the connections between BCP and 1. Review the BCP document.
business objectives
o Evaluating the BCP and determining its adequacy 2. Review the applications covered by
and currency the BCP.
o Verifying BCP effectiveness through a review of plan 3. Review the business continuity
testing teams.
o Evaluating cloud-based mechanisms and offsite
storage 4. Test the plan.
o Assessing the ability of personnel to respond
effectively in the event of an incident

Management of IT
BCP Audit Evaluation In the Big Picture
Evaluate offsite Evaluate key

Evaluate prior storage facilities, personnel The Big
Task 2.10
test results including through Picture
security controls interviews continuity plan (BCP), including the The IS auditor needs to
alignment of the IT disaster recovery only evaluate the content
plan (DRP) with the BCP, to determine of the DRP and BCP to
Evaluate the determine if these
Evaluate
alternative
essential business operations during processes will return the
insurance the period of an IT disruption. business to normal
processing
coverage
operations.
contract

During a review of a business continuity plan, an IS auditor
noticed that the point at which a situation is declared to be disaster in which not all the critical data needed to resume
a crisis has not been defined. The MAJOR risk associated business operations were retained. Which of the following
with this is that: was incorrectly defined?
A. assessment of the situation may be delayed. A. The interruption window
B. execution of the disaster recovery plan could be B. The recovery time objective (RTO)
impacted. C. The service delivery objective (SDO)
C. notification of the teams might not occur. D. The recovery point objective (RPO)
D. potential crisis recognition might be delayed.

Management of IT
Domain 2 Summary
Evaluation of the IT strategy life cycle Evaluation of IT portfolio management
Evaluation of the effectiveness of the IT governance Evaluation of risk management practices
structure Evaluation of IT management and monitoring of
Evaluation of the IT organizational structure and controls
human resources (personnel) management Evaluation of monitoring and reporting of IT KPIs
Evaluation of Evaluation of
and procedures life cycle plan
Evaluation of IT resource management The importance of a BCP, including the alignment of
the IT DRP with the BCP

When auditing the IT governance framework and IT risk To optimize an an IS auditor
management practices that exist within an organization, the should recommend a BIA to determine:
IS auditor identified some undefined responsibilities A. the business processes that generate the most
regarding IT management and governance roles. Which of financial value for the organization and,
therefore, must be recovered first
the following recommendations is the MOST appropriate?
B. the priorities and order for recovery to ensure
A. Review the strategic alignment of IT with the business.
B. Implement accountability rules within the organization. strategy
C. Ensure that independent IS audits are conducted C. the business processes that must be recovered
periodically.
survival
D. Create a chief risk officer (CRO) role in the organization.
D. the priorities and order of recovery, which will
recover the greatest number of systems in the
shortest time frame

CISA Student Handout Domain2

Cargado por

Información del documento

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

CISA Student Handout Domain2

Cargado por

Copyright:

Formatos disponibles

CISA Review Course 26th Edition Domain 2: Governance and

Domain 2 Provide assurance that the necessary

Domain 2 Domain Objectives

© 2016. ISACA. All Rights Reserved. 1

On the CISA Exam Domain Tasks

objectives. and procedures.

© 2016. ISACA. All Rights Reserved. 2

operations during the period of an IT disruption. implementation and maintenance for

strategies and objectives.

Key Terms Task to Knowledge Statements

© 2016. ISACA. All Rights Reserved. 3

© 2016. ISACA. All Rights Reserved. 4

GEIT Good Practices

processes used to direct and control the

concerned with value creation. Management

Plan Build Run Monitor

Source: ISACA, COBIT 5, USA, 2012, figure 15

The Role of Audit in GEIT Areas of GEIT Audit

© 2016. ISACA. All Rights Reserved. 5

© 2016. ISACA. All Rights Reserved. 6

In the Big Picture Discussion Question

Discussion Question Task 2.2

strategies and objectives.

© 2016. ISACA. All Rights Reserved. 7

Key Terms Task to Knowledge Statements

© 2016. ISACA. All Rights Reserved. 8

IT Committee Analysis Security: A Governance Issue

Source: ISACA, CISA Review Manual 26th Edition, figure 2.4

© 2016. ISACA. All Rights Reserved. 9

Cloud Computing Issues in Service Models

Source: ISACA, CISA Review Manual 26th Edition, figure 2.9

© 2016. ISACA. All Rights Reserved. 10

Issues in Deployment Models In the Big Picture

Community cloud Shared by several organizations

Source: ISACA, CISA Review Manual 26th Edition, figure 2.10

Discussion Question Discussion Question

© 2016. ISACA. All Rights Reserved. 11

Task 2.3 Key Terms

Task to Knowledge Statements

© 2016. ISACA. All Rights Reserved. 12

HR Management IT Organizational Structure

The IS auditor should compare observed roles and

Staff Mandatory Succession

© 2016. ISACA. All Rights Reserved. 13

Segregation of IT Duties SoD Guidelines

SoD Change Management

© 2016. ISACA. All Rights Reserved. 14

In the Big Picture Discussion Question

Discussion Question Task 2.4

© 2016. ISACA. All Rights Reserved. 15

Task to Knowledge Statements

© 2016. ISACA. All Rights Reserved. 16

© 2016. ISACA. All Rights Reserved. 17

Procedures Information Security Policy

© 2016. ISACA. All Rights Reserved. 18

Policy Components In the Big Picture

o Acceptable use policy (AUP) Controls the use of

Discussion Question Discussion Question

© 2016. ISACA. All Rights Reserved. 19

Task 2.5 Key Terms

Task to Knowledge Statements

© 2016. ISACA. All Rights Reserved. 20

© 2016. ISACA. All Rights Reserved. 21

o Foster consensus among stakeholders about IT