CISA Review Chapter 2 With Answers

Download Report

Transcript CISA Review Chapter 2 With Answers

CISA REVIEW
The material provided in this slide show came
directly from Certified Information Systems
Auditor (CISA) Review Material 2010 by ISACA.
CISA REVIEW
Chapter 2 – Governance Learning Objectives
•
•
•
•
•
•
•
•
Evaluate the effectiveness of IT governance structure to ensure adequate board
control over the decisions, directions and performance of IT, so it supports the
organization's strategies and objectives
Evaluate IT organizational structure and human resources (personnel) management
to ensure that they support the organization's strategies and objectives
Evaluate the IT strategy and process for their development, approval,
implementation and maintenance to ensure that they support the organization's
strategies and objectives
Evaluate the organization's IT policies, standards, procedures and processes for their
development, approval, implementation and maintenance to ensure that they
support the IT strategy and comply with regulatory and legal requirements
Evaluate management practices to ensure compliance with the organization's IT
strategy, policies, standards and procedures
Evaluate IT resource investment, use and allocation practices to ensure alignment
with the organization's strategies and objectives
Evaluate risk management practices to ensure that the organization's IT-related risks
are properly managed
Evaluate monitoring and assurance practices to ensure that the board and executive
management receive sufficient and timely information about IT performance
CISA REVIEW
Chapter 2 – Governance
• IT governance is used to ensure that an organization's IT
objectives are in alignment with its enterprise objectives.
To ensure successful implementation of IT governance,
an IS auditor needs to make certain that the
organization's IS strategies are in alignment with the
organization's business strategies. The IS auditor must
also ensure that IS strategies comply with all local,
regional and federal laws and regulations.
• Other critical elements of an IS auditor's role in IT
governance is to ensure that IS policies exist and
adequately reflect the approved IS strategies, and that IS
standards and procedures effectively enforce and
communicate IS policies.
CISA REVIEW
Chapter 2 – Governance
• IT governance implies a system in which all stakeholders,
including the board, internal customers and related areas
such as finance, have the necessary input into the decision
making process. This prevents a single stakeholder, typically
IT, being blamed for poor decisions. It also prevents users
from later complaining that the system does not behave or
perform as expected.
• The best way to implement IT governance so it has the most
positive impact is to have collaborative senior management
sponsorship between the business and IT operations. Lower
management levels may have some success but when
governance is departmental only, problems arise with
projects that transcend departments that are not
consistently managed using the same guidance.
CISA REVIEW
Chapter 2 – Governance
IT governance encompasses:
• Information systems
• Technology and communication
• Business, legal and other issues such as
regulatory compliance and security
• All concerned stakeholders, directors, senior
management, process owners, IT suppliers,
users and auditors
CISA REVIEW
Chapter 2 – Governance
Chief executive officers (CEOs), chief financial
officers (CFOs) and chief information officers
(CIOs) agree that the strategic alignment
between IT and enterprise objectives is a
critical success factor for an organization.
CISA REVIEW
Chapter 2 – Process Improvement
IT governance is concerned that IT delivers value to the
business and that IT risks are managed. The first is driven
by strategic alignment of IT with the business. The second
is driven by embedding accountability into the enterprise,
which cannot be accomplished without effective
measuring and reporting.
CISA REVIEW
Chapter 2 – Governance
•
•
•
•
•
•
An IS auditor should assess the following organizational
IT governance elements:
Alignment of the IT function with the organization's
mission, vision, values, objectives and strategies
Achievement of IT function performance objectives
established by the business (effectiveness and efficiency)
including the measures used to determine success
Legal, environmental, information quality, and fiduciary
and security requirements
The control environment of the organization
The inherent risks within the IT environment
The organization's documentation and contractual
commitments
CISA REVIEW
Chapter 2 – IT Strategy Committee
As an industry best practice, all organizations
should create an IT strategy committee. To
incorporate IT governance into enterprise
governance, a successful IT strategy committee
must assist the board by:
• Providing advice on strategy, IT value, risks and
performance
• Overseeing the enterprise's IT-related matters by
ensuring that the board has the internal and
external information it requires for effective IT
governance decision-making
CISA REVIEW
Chapter 2 – IT Steering Committee
In addition to the IT strategy committee, an
organization's senior management should
appoint an IT planning or steering committee.
The responsibilities and duties of this
committee should be defined in a formal
charter and include overseeing the IT function
and its activities, and ensuring that the IT
department is in agreement with the
organization's mission and objectives.
CISA REVIEW
Chapter 2 – IT Steering Committee
The primary functions of the IT steering committee include the following:
• Review the long- and short-range plans of the IT department to ensure that
they are in accordance with the organization's objectives.
• Review and approve major acquisitions of hardware and software within the
limits approved by the board of directors.
• Approve and monitor major projects and the status of IT plans and budgets;
establish priorities; approve standards and procedures; and monitor overall
IT performance.
• Review and approve sourcing strategies for select, or all, IT activities,
including insourcing or outsourcing, and the globalization or offshoring of
functions.
• Review adequacy of resources and allocation of resources in terms of time,
personnel and equipment.
• Make decisions regarding centralization vs. decentralization and assignment
of responsibility.
• Support development and implementation of an enterprisewide information
security management program.
• Report to the board of directors on IT activities.
CISA REVIEW
Chapter 2 – IT Steering Committee
•
•
•
•
•
In order to effectively coordinate and monitor an
organization's IT resources and IT steering committee
must:
Receive the appropriate management information from
IT departments, user departments and audits
Monitor performance and institute appropriate action to
achieve desired results
Meet regularly and report to senior management
Maintain formal minutes to document the committee's
activities and decisions
Serve as a general review board for major IT projects and
avoid becoming involved in routine operations
CISA REVIEW
Chapter 2 – Strategic Planning
An important element of strategic planning is to make
sure that business and IT management work together
toward a common goal. To do this:
• IT management needs to have a better understanding of
business issues and business unit management should
also have a solid understanding of the reality of IT
constraints.
• All parties involved should have the ability to understand
and relate strategic plans between business needs and
IT. Strategic plans should address how IT resources will
add-value to the business. IT resources add-value by
mitigating risk and delivering and protecting information
and allocating resources accordingly.
CISA REVIEW
Chapter 2 – Strategic Planning
Instructions: Match each IT governance outcome to its corresponding
description.
Outcomes
Strategic alignment
Risk management
Value delivery
Resource management
Performance measurement
Descriptions
Measures, monitors and reports on information security processes to ensure
objectives are achieved
Aligns information security with business strategy to support organizational
objectives
Optimizes security investments in support of business objectives
Utilizes information security knowledge and infrastructure efficiently and
effectively
Manages and executes appropriate measures to mitigate risks and reduce
potential impacts on information resources to an acceptable level
CISA REVIEW
Chapter 2 – Strategic Planning
Answers: Each term is followed by the appropriate description.
• Strategic alignment
Aligns information security with business strategy to support
organizational objectives
• Risk management
Manages and executes appropriate measures to mitigate risks and
reduce potential impacts on information resources to an acceptable
level
• Value delivery
Optimizes security investments in support of business objectives
• Resource management
Utilizes information security knowledge and infrastructure efficiently
and effectively
• Performance measurement
Measures, monitors and reports on information security processes to
ensure objectives are achieved
CISA REVIEW
Chapter 2 – Policies and Procedures
IT governance also includes overseeing the
policies and procedures developed to guide and
control information systems and related
resources.
CISA REVIEW
Chapter 2 – Information Security Policy
Information security policies should guide the
organization by defining what needs to be
protected, responsibilities for protection, and the
strategy that will be followed for protection.
Information security policies should be developed
in accordance with business requirements, and
relevant laws and regulations. An organization's
management should demonstrate support for and
commitment to information security by issuing and
maintaining information security policies that
contain a clear direction.
CISA REVIEW
Chapter 2 – Information Security Policy
An organization's information security policy
should be approved by management and:
• Define the overall objective and scope of the
organization's information security
• Align the goals and principles of information
security with the business strategy and
objectives
• Set the framework for risk assessment and risk
management
CISA REVIEW
Chapter 2 – Information Security Policy
After an information security policy is approved
by management, it should be published and
communicated. The communication of this
policy must be:
• Communicated to all users in the organization,
including internal and external workers, third
parties and outsourcers
• Provided in a form that is accessible and
understandable to the intended reader
CISA REVIEW
Chapter 2 – Information Security Management
•
•
•
•
Information security management involves leading and
facilitating the implementation of an organization wide IT
security program to assure that the organization's
information and the information-processing resources under
its control are properly protected. This includes but is not
limited to:
Developing business continuity and disaster recovery plans
(BCP and DRP) related to IT department functions in support
of the organization's critical business processes
Applying risk management principles to assess the risks to IT
assets
Mitigate risks to an appropriate level as determined by
management
Monitor the remaining residual risks
CISA REVIEW
Chapter 2 – Information Security Management
Instructions: Here are three items and descriptions. Match each item to
its corresponding description.
Items
Information access policy
Sourcing practices
Information security management practices
Descriptions
Leading and facilitating the implementation of an organizationwide IT
security program
Grants access to only those resources at or below a specific level of
sensitivity
Asks "can this function be performed by another party or in another
location for the same or lower price, with the same or higher quality,
and without increasing risk?"
CISA REVIEW
Chapter 2 – Information Security Management
Answers: Each term is followed by the appropriate description.
Information access policy
Grants access to only those resources at or below a specific
level of sensitivity
Sourcing practices
Asks "can this function be performed by another party or in
another location for the same or lower price, with the same or
higher quality, and without increasing risk?"
Information security management practices
Leading and facilitating the implementation of an organization
wide IT security program
CISA REVIEW
Chapter 2 – Information Security Management
Real-World Example
An organization is using human resources (HR) management
software that it had developed by a vendor several years ago.
The software maintains confidential information typically kept
in personnel files, such as salary levels and management
reviews. On performing a review, the IS auditor found that there
were no written policies or guidelines indicating the type of
authentication necessary for accessing the information in the
software and that the organization typically used a fourcharacter password for all items requiring access controls.
Think About It: What is the risk associated with this situation?
CISA REVIEW
Chapter 2 – Information Security Management
Answer:
The lack of sufficient access controls poses a serious risk to an
organization's information integrity.
Think About It: What do you, as an IS audit expert, think could
have been done proactively to prevent this organization from
being in this situation?
CISA REVIEW
Chapter 2 – Information Security Management
Answer:
To prevent a situation like this from occurring, an organization
should have proper access control policies, process, and strategies
in place. This would involve performing regularly scheduled
reviews and/or audits on all information assets requiring security
and updating the organization's information security directive as
appropriate. Additional proactive controls could also include
addenda and reviews to the vendor contract with specific security
requirements and requiring complexity-enabled password
requirements.
CISA REVIEW
Chapter 2 – Information Access
•
•
•
•
•
Typical information security policies addressing
information access include the following:
Individuals are granted access to only those resources at
or below a specific level of sensitivity.
Labels are used to indicate the sensitivity level of
electronically stored documents.
Policy-based controls may be characterized as either
mandatory or discretionary.
Controls should not disrupt the usual work flow more
than necessary or place too much burden on
administrators, auditors or authorized users.
Access controls must adequately protect all the
organization's resources.
CISA REVIEW
Chapter 2 – Segregation of Duties
• The purpose of segregating duties is to aid an
organization in reducing some of its business
risks through the identification of compensating
controls.
• For example, when duties are segregated,
access to the computer, the production data
library, the production programs, the
programming documentation, and the
operating system and associated utilities can be
limited, and potential damage from the actions
of any one person is, therefore, reduced.
CISA REVIEW
Chapter 2 – Segregation of Duties
Several control mechanisms can be used to enforce
segregation of duties. Examples of these controls
are:
• Transaction authorization
• Assets/data ownership
• Access to data
Proper segregation prevents misappropriation of
assets, misstated financial statements, inaccurate
financial documentation (i.e., errors or
irregularities), and improper use of funds or not
detecting data modifications.
CISA REVIEW
Chapter 2 – Segregation of Duties
Transaction authorization is the responsibility of
the data owner. Authorization is delegated to
the degree that it relates to the particular level
of responsibility of the authorized individual in
the department. Periodic checks must be
performed by management and audit to
determine that adequate authorization policies
and procedures exist and are implemented.
CISA REVIEW
Chapter 2 – Segregation of Duties
Ownership of assets/data must be determined
and assigned appropriately. The data owner
usually is assigned to a particular user
department, and his/her duties should be
specific and in writing. The owner of the data
has responsibility for determining authorization
levels required to limit the exposure of data
being accessed by people without a justification
to see, modify or use it.
CISA REVIEW
Chapter 2 – Segregation of Duties
Controls over access to data are provided by a
combination of physical, system, and
application security and personnel controls in
the user area and the information process
facility.
CISA REVIEW
Chapter 2 – Segregation of Duties
Information technology and end-user
departments should be organized so any single
individual does not have too much control or
responsibility over critical functions. With
segregation of duties, the misuse of data or
fraud can be detected in a timely manner and
in the normal course of business processes.
Segregation of Duties Exercise
Segregation of Duties Exercise - Answer
CISA REVIEW
Chapter 2 – Compensating Controls
Of course there will be situations were weaknesses
exist with segregation of duties (e.g. smaller
organizations with fewer staff). In these situations,
compensating controls can be used.
Compensating controls include:
• Audit trails
• Reconciliation
• Exception reporting
• Transaction logs
• Supervisor reviews
• Independent reviews
CISA REVIEW
Chapter 2 – Compensating Controls
Audit trails are an essential component of all welldesigned systems. Audit trails enable the user
departments and IS auditor to re-create the actual
transaction flow from the point of origination to its
existence on an updated file. In the absence of
adequate segregation of duties, good audit trails may
be an acceptable compensating control. The IS
auditor should be able to determine who initiated
the transaction, the time of day and date of entry,
the type of entry, what fields of information it
contained, and what files it updated.
CISA REVIEW
Chapter 2 – Compensating Controls
Audit trails are an essential component of all welldesigned systems. Audit trails enable the user
departments and IS auditor to re-create the actual
transaction flow from the point of origination to its
existence on an updated file. In the absence of
adequate segregation of duties, good audit trails may
be an acceptable compensating control. The IS
auditor should be able to determine who initiated
the transaction, the time of day and date of entry,
the type of entry, what fields of information it
contained, and what files it updated.
CISA REVIEW
Chapter 2 – Compensating Controls
Reconciliation is ultimately the responsibility of the
user department. In some organizations, limited
reconciliation of applications may be performed by
the data control group with the use of control totals
and balancing sheets. This type of independent
verification increases the level of confidence that the
application processed successfully and the data are in
proper balance.
CISA REVIEW
Chapter 2 – Compensating Controls
Exception reporting should be handled at the
supervisory level and should require evidence, such
as initials on a report, noting that the exception has
been handled properly. Management should also
ensure that exceptions are resolved in a timely
manner.
CISA REVIEW
Chapter 2 – Compensating Controls
A transaction log may be manual or automated. An
example of a manual log is a record of transactions
(grouped or batched) before they are submitted for
processing. An automated transaction log or journal
provides a record of all transactions processed, and it
is maintained by the computer system.
CISA REVIEW
Chapter 2 – Compensating Controls
Supervisory reviews may be performed through
observation and inquiry or remotely.
CISA REVIEW
Chapter 2 – Compensating Controls
Independent reviews are carried out to compensate
for mistakes or intentional failures in following
prescribed procedures. These are particularly
important when duties in a small organization cannot
be appropriately segregated. Such reviews will help
detect errors or irregularities.
CISA REVIEW
Chapter 2 – Compensating Controls
Instructions: Here are two categories and nine descriptions.
Determine the appropriate category for each item.
Categories
Compensating controls
Segregated Duties
Items
Audit trails
Authorization
Custody of the assets
Exception reporting
Independent reviews
Reconciliation
Recording transactions
Supervisor reviews
Transaction logs
CISA REVIEW
Chapter 2 – Compensating Controls
Answers
Each category is followed by the appropriate items.
Compensating Controls:
Audit trails
Reconciliation
Exception reporting
Transaction logs
Supervisor reviews
Independent reviews
Segregated Duties:
Custody of the assets
Authorization
Recording transactions
CISA REVIEW
Chapter 2 – Risk Management
Effective IT governance will enable an organization to manage and execute
appropriate measures to mitigate risks and reduce potential impacts on
information resources to an acceptable level.
To achieve this level of risk management, an organization must maintain:
•A collective understanding of the organizations threat, vulnerability and
risk profile consistent with the management's risk philosophy and position
•An understanding of risk exposure and potential consequences of
compromise including the regulatory, legal, operational and brand impacts
•An awareness of risk management priorities based on potential
consequences
•Risk mitigation sufficient to achieve acceptable consequences from
residual risk
•Risk acceptance/deference based on an understanding of the potential
consequences of residual risk
CISA REVIEW
Chapter 2 – Risk Management
Risk management is the process an organization must
go through to:
•Identify any vulnerabilities and threats to its
information resources
•Decide on the countermeasures to take which may
reduce any risk to an acceptable level
An organization must define its risk appetite and its
identified risk exposure before it can develop
effective risk management strategies or determine
what roles and responsibilities are necessary.
CISA REVIEW
Chapter 2 – Risk Management
When an organization finds risk, depending on the
type of risk and its significance to the business,
management and the board have five options:
•Avoid the risk
•Mitigate the risk
•Transfer the risk
•Accept the risk
•Eliminate the risk
CISA REVIEW
Chapter 2 – Risk Management
Once risks have been identified, an organization must evaluate
existing controls or develop new controls to reduce the
vulnerabilities to an acceptable level of risk.
The strength of a control can be measured in terms of its
inherent or design strength and the likelihood of its
effectiveness. Elements of controls that should be considered
when evaluating control strength include whether the controls
are:
•Preventive or detective
•Manual or programmed
•Formal or ad hoc
CISA REVIEW
Chapter 2 – Risk Management
Once controls have been applied, any remaining risk
is called residual risk. Residual risks can be used by
management to identify those areas where they can
reduce risk even further or where more control is
required.
CISA REVIEW
Chapter 2 – Risk Management
Real World Example
A small, growing bank was cited for noncompliance
by a regulatory agency because its information
security program did not have an independent
review. It seems that although a review was
performed, it was conducted by an operations officer
because he had network administrative access and
was the only individual with the expertise to
complete the review.
Think About It: Where is the lapse in effective IT
governance in this situation?
CISA REVIEW
Chapter 2 – Risk Management
Answer:
The actual risk here is the lack of segregation of duty.
The operations officer with network administrative
access is, by default, not independent because he or
she has regular access to the system.
Think About It
What do you, as an IS audit expert, think could have
been done to prevent this bank from being in this
situation?
CISA REVIEW
Chapter 2 – Risk Management
Answer:
If the bank had the proper IT organizational structure
and resource management in place, including proper
segregation of duties and duty controls, this situation
may not have occurred.
CISA REVIEW
Chapter 2 – Process Improvement
Typically, organizations need to measure where they are and
where improvement is required, and continuously monitor
this improvement. Cost-benefit also needs to be considered
along with the following questions:
•What are industry peers doing, and how is your organization
placed in relation to them?
•How is your organization placed with regard to industry good
practices?
•Based on these comparisons, can your organization be said to
be doing enough?
•How can your organization identify what is required to be
done to reach an adequate level of management and control
over its IT processes?
CISA REVIEW
Chapter 2 – Process Improvement
An organization has different levels of process maturity when
compared to their peers. In order to assess their maturity level the
organization should provide:
•A set of requirements and the enabling aspects at the different
maturity levels
•A scale where the difference can be made measurable
•A scale that lends itself to comparison
•The basis for setting as-is and to-be positions
•Support for gap analysis to determine what needs to be done to
achieve a chosen level
•Taken together, a view of how IT is managed in the enterprise
CISA REVIEW
Chapter 2 – IT Balanced Scorecard
Goals and metrics that comprise the IT balanced scorecard
can be defined at three levels:
•IT goals and metrics that define what the business expects
from IT and how to measure it
•Process goals and metrics that define what the IT process
must deliver to support IT's objectives and how to measure
it
•Activity goals and metrics that establish what needs to
happen inside the process to achieve the required
performance and how to measure it
CISA REVIEW
Chapter 2 – IT Balanced Scorecard
Think About It: Why are measures so important?
Answer: The value of metrics is in their ability to provide a factual
basis for defining:
• Strategic feedback to show the present status of the organization
from many perspectives for the decision maker
• Diagnostic feedback into various processes to guide improvements
on a continuous basis
• Trends in performance over time as the metrics are tracked
• Feedback around the measurement methods themselves, and
which metrics should be tracked
• Quantitative inputs to forecasting methods and models for decision
support systems
CISA REVIEW
Chapter 2 – IT Balanced Scorecard
Think About It: Why do you think measuring of IT
performance should be a dynamic process?
It has to be a dynamic process because an organization
must consider and account for the complex and changing
business environments organizations have today.
Accordingly, it can be misleading to program managers if
they try and use traditional measurement to assess
information technology's contribution to the organization's
mission.
CISA REVIEW
Chapter 2 – HR
All organizations should have a variety of policies regarding
human resource issues. Examples of these policies are
training, scheduling and time reporting, employee
performance evaluations, and required vacations.
•Training
•Scheduling and Time Reporting
•Employee Performance Evaluations
•Vacations
Organizations should also have a published code of
conduct that specifies all employees' responsibilities to the
organization.
CISA REVIEW
Chapter 2 – HR
An IS auditor has several responsibilities when evaluating elements
of IT human resource management and how it affects an
organization's IT governance. These responsibilities include looking
for indicators of potential staffing weaknesses or problems such as:
•High staff turnover
•Inexperienced staff
•Lack of succession plans
•Lack of adequate training
Additionally, an IS auditor reviewing an organization's IT resource
management should verify that job descriptions, human resource
manuals, and organizational charts are in place, accurate and
updated regularly.
CISA REVIEW
Chapter 2 – HR
Think About It: What are some reasons that HR and IT must work
together in an organization seeking to achieve effective IT
governance?
HR provides the link for the staffing and training component of the
organization. This directly impacts the quality of the staff and the
performance of IT duties. In order for HR personnel to effectively and
accurately fill positions, they need to communicate closely with the
IT department to obtain a clear understanding of ITs needs.
Additionally, there is an ongoing need for HR involvement in the
overall management of IT resources such as employee education and
training, termination, compliance, and of course, overall IT
governance.
CISA REVIEW
Chapter 2 – IT Resource Allocation
When developing an IS strategic plan, senior management is
responsible for identifying cost-effective IT solutions to address the
organization's problems and opportunities.
It is important that the strategic planning process encompasses not
just the delivery of new systems and technology, but considers the
returns being achieved from investments in existing technology. This
can be done using the following:
•Considering the return on investment (ROI) and total cost of
ownership for all endeavors
•Understanding allocation practices
•Effective budgeting
•Change management
CISA REVIEW
Chapter 2 – IT Resource Allocation
What are the strategic issues that need to be addressed
relative to value?
•A clear and shared understanding of the expected
benefits
•Clear accountability for realizing the benefits
•Relevant metrics
•An effective benefits realization process
CISA REVIEW
Chapter 2 – IT Resource Allocation
How do post implementation reviews impact value?
A post implementation review is a review of the
implementation process against the methodology and
budgeting of the project, and measuring the expected
results against the success metrics. The IS auditor and the
IT project team need to review results and develop steps
for improvement.