Add to collection(s) Add to saved
  1. No category
Uploaded by sufiyan yousuf

Chapter 2

advertisement 
Module 2
IT Governance
IT Governance
• IT governance, one or the domains of enterprise
governance, comprises the body of issues addressed
in considering how IT is applied within the
enterprise.
• Fundamentally, IT governance is concerned with two
issues: that IT delivers value to the business and that
IT risks are managed. The first is driven by strategic
alignment of IT with the business. The second is
driven by embedding accountability into the
enterprise.
2.4.1 Best Practices for IT Governance
(continued)
IT governance has become significant due to:
• Business demands for better return from IT investments
• Concern over increasing level of IT expenditures
• Need to meet regulatory requirements for IT controls in
areas such as privacy and financial reporting.
• Selection of service providers and outsourcing.
• Complexity of network security
• Adoptions of control frameworks
• Benchmarking
2.4.1 Best Practices for IT Governance
(continued)
Audit role in IT governance
• Audit plays a significant role in the successful
implementation of IT governance within an organization
• Reporting on IT governance involves auditing at the
highest level in the organization and may cross division,
functional or departmental boundaries
2.4.2 IT Strategy Committee
• The creation of an IT strategy committee is an industry best
practice
• Committee should broaden its scope to include not only
advice on strategy when assisting the board in its IT
governance responsibilities, but also to focus on IT value, risks
and performance
2.4.4 Information
Security Governance
• Focused activity with specific value drivers
– Confidentiality , Integrity and Availability of information
– Continuity of services
– Protection of information assets
• Integral part of IT governance
• Importance of information security governance
2.4.4 Information Security
Governance (continued)
Importance of information security
governance
• Information security (Infosec) covers all information processes,
physical and electronic, regardless of whether they involve
people and technology or relationships with trading partners,
customers and third parties.
• Infosec is concerned with all aspects of information and its
protection at all points of its life cycle within the organization.
2.3.4 Information Security
Governance (continued)
Effective information security can add significant value
to an organization by:
• Providing greater reliance on interactions with trading
partners
• Improving trust in customer relationships
• Protecting the organization’s reputation
• Enabling new and better ways to process electronic
transactions
2.4.4 Information Security
Governance (continued)
Information security governance requires
strategic direction and impetus from:
•
•
•
•
Boards of directors / senior management
Executive management
Steering committees
Chief information security officers
2.4.5 Enterprise Architecture
• Involves documenting an organization’s IT assets in a
structured manner to facilitate understanding, management
and planning for IT investments
2.5.1 Strategic Planning
• From an IS standpoint, strategic planning relates to the
long-term direction an organization wants to take in
leveraging information technology for improving its
business processes
• Effective IT strategic planning involves a consideration of
the organization’s demand for IT and its IT supply capacity
2.5.1 Strategic Planning
(continued)
• The IS auditor should pay attention to the importance of
IT strategic planning
• Focus on the importance of a strategic planning process or
planning framework
• Consider how the CIO or senior IT management are
involved in the creation of the overall business strategy
2.8.1 Policies
• High-level documents
• Represent the corporate philosophy of an organization
• Must be clear and concise to be effective
2.8.1 Policies (continued)
• Management should review all policies carefully
• Policies need to be updated to reflect new technology and
significant changes in business processes
• Policies formulated must enable achievement of business
objectives and implementation of IS controls
2.8.1 Policies (continued)
Information security policies
• Communicate a coherent security standard to users,
management and technical staff
• Must balance the level of control with the level of productivity
• Provide management the direction and support for
information security in accordance with business
requirements, relevant laws and regulations
2.8.1 Policies (continued)
Information security policy document
•
•
•
•
•
•
Definition of information security
Statement of management intent
Framework for setting control objectives
Brief explanation of security policies
Definition of responsibilities
References to documentation
2.8.1 Policies (continued)
Policy groups to be addressed
•
•
•
•
•
High-level information security policy
Data classification policy
Acceptable usage policy
End user computing policy
Access control policies
2.8.1 Policies (continued)
Review of the information security policy
document
• Should be reviewed at planned intervals or when significant
changes occur to ensure its continuing suitability, adequacy
and effectiveness
• Should have an owner who has approved management
responsibility for the development, review and evaluation of
the security policy
• Review should include assessing opportunities for
improvement to the organization’s information security policy
2.10.1 HR Management
•
•
•
•
•
•
•
•
Hiring
Employee handbook
Promotion policies
Training
Scheduling and time reporting
Employee performance evaluations
Required vacations
Termination policies
2.10.3 Organizational
Change Management
What is change management?
• Managing IT changes for the organization
– Identify and apply technology improvements at the
infrastructure and application level
2.10.4 FINANCIAL MANAGEMENT
PRACTICES
What is financial management?
• Financial management is a critical element of all
business functions In a cost-intensive computer
environment, it is imperative that sound financial
management practices are in place.
2.10.5 Quality Management
• Software development, maintenance and implementation
• Acquisition of hardware and software
• Day-to-day operations
• Service management
• Security
• Human resource management
• General administration
2.11.1 IS Roles and Responsibilities
• Systems development manager
• Help desk
• End user
• End user support manager
2.11.1 IS Roles and Responsibilities
(continued)
•
•
•
•
Data management
Quality assurance manager
Vendor and outsourcer management
Operations manager
2.11.1 IS Roles and Responsibilities
(continued)
• Security administration
• Quality assurance
• Database administration
2.11.1 IS Roles and Responsibilities
(continued)
•
•
•
•
Systems analyst
Applications development and maintenance
Infrastructure development and maintenance
Network management
2.11.2 Segregation of
Duties Within IS
• Avoids possibility of errors or misappropriations
• Discourages fraudulent acts
• Limits access to data
2.12 Auditing IT Governance
Structure and Implementation
Indicators of potential problems include:
•
•
•
•
•
•
•
Unfavorable end-user attitudes
Excessive costs
Budget overruns
Late projects
High staff turnover
Inexperienced staff
Frequent hardware/software errors
2.12.1 Reviewing Documentation
The following documents should be reviewed:
•
•
•
•
•
•
•
•
•
IT strategies, plans and budgets
Security policy documentation
Organization/functional charts
Job descriptions
Steering committee reports
System development and program change procedures
Operations procedures
Human resource manuals
Quality assurance procedures
2.13 Business Continuity Planning
• Business continuity planning (BCP) is a process designed to
reduce the organization’s business risk
• A BCP is much more than just a plan for the information
systems
2.13 Business Continuity Planning (Continued)
Corporate risks could cause an organization to
suffer
• Inability to maintain critical customer services
• Damage to market share, reputation or brand
• Failure to protect the company assets including intellectual
properties and personnel
• Business control failure
• Failure to meet legal or regulatory requirements
6.13.1 IS Business Continuity
IS processing is of strategic importance
• Critical component of overall BCP
• Most key business processes depend on the availability of key
systems and infrastructure components
6.13.2 Disasters and Other Disruptive
Events
• Disasters are disruptions that cause critical information
resources to be inoperative for a period of time
• Good BCP will take into account impacts on IS processing
facilities
6.13.3 Business Continuity
Planning Process
Phases of the business continuity planning process
•
•
•
•
Creation of a business continuity and disaster recovery policy
Business impact analysis
Classification of operations and criticality analysis
Development of a business continuity plan and disaster recovery
procedures
• Training and awareness program
• Testing and implementation of plan
• Monitoring
2.13.4 Business Continuity Policy
• A business continuity policy is a document approved
by top management that defines the extent and
scope or the business continuity effort (a project or
an ongoing program) within the organization.
6.13.5 Business Continuity Planning
Incident Management
All types of incidents should be categorized
• Negligible
• Minor
• Major
• Crisis
6.13.6 Business Impact Analysis
• Critical step in developing the business continuity plan
• Three main questions to consider during BIA phase:
1.
What are the different business processes?
2.
What are the critical information resources related to an
organization’s critical business processes?
3.
What is the critical recovery time period for information resources
in which business processing must be resumed before significant
or unacceptable losses are suffered?
6.13.9 Components of a Business
Continuity Plan
A business continuity plan may consist of more
than one plan document
•
•
•
•
•
•
•
•
Continuity of operations plan (COOP)
Disaster recovery plan (DRP)
Business resumption plan
Continuity of support plan / IT contingency plan
Crisis communications plan
Incident response plan
Transportation plan
Occupant emergency plan (OEP)
6.13.9 Components of a Business
Continuity Plan (continued)
Components of the plan
•
•
•
•
Key decision-making personnel
Backup of required supplies
Telecommunication networks disaster recovery methods
Insurance
6.13.10 Plan Testing
• Schedule testing at a time that will
minimize disruptions to normal
operations
• Test must simulate actual processing
conditions
• Test execution:
– Documentation of results
– Results analysis
– Recovery / continuity plan maintenance
6.13.11 Summary of Business Continuity
and Disaster Recovery (continued)
• Process for developing and maintaining the BCP/DRP
– Business impact analysis
– Identify and prioritize systems
– Choose appropriate strategies
– Develop the detailed plan for IS facilities
– Develop the detailed BCP
– Test the plans
– Maintain the plans
2.14 Auditing Business Continuity
•
•
•
•
•
Understand and evaluate business continuity strategy
Evaluate plans for accuracy and adequacy
Verify plan effectiveness
Evaluate offsite storage
Evaluate ability of IS and user personnel to respond
effectively
• Ensure plan maintenance is in place
• Evaluate readability of business continuity manuals and
procedures
2.14.1 Reviewing the Business
Continuity Plan
IS auditors should verify that basic elements of a
well-developed plan are evident including:
• Currency of documents
• Effectiveness of documents
• Interview personnel for appropriateness and completeness
2.14.2 Evaluation of Prior
Test Results
IS auditors must review the test results to:
• Determine whether corrective actions are in the plan
• Evaluate thoroughness and accuracy
• Determine problem trends and resolution of problems
2.14.4 Interviewing Key Personnel
• Key personnel must have an understanding of their
responsibilities
• Current detailed documentation must be kept
2.14.5 Evaluation of Security at
Offsite Facility
An IS auditor must:
• Evaluate the physical and environmental access controls
• Examine the equipment for current inspection and calibration
tags
2.14.7 Reviewing Insurance Coverage
• Insurance coverage must reflect actual cost of
recovery
• Coverage of the following must be reviewed
for adequacy
–
–
–
–
Media damage
Business interruption
Equipment replacement
Business continuity processing
Related documents
Unit 10: Course Summary and Final Exam
Unit 10: Course Summary and Final Exam
Limits and Continuity 1 Review from Calculus 1
Limits and Continuity 1 Review from Calculus 1
the role of other service providers notes
the role of other service providers notes
past-perfect-continuous-160218110904
past-perfect-continuous-160218110904
AP WORLD HISTORY FREE-RESPONSE QUESTION WORLD HISTORY
AP WORLD HISTORY FREE-RESPONSE QUESTION WORLD HISTORY
Download
advertisement