ISACA ®

TRUST IN, AND VALUE FROM,

INFORMATION SYSTEMS
 2012 CISA Review Course
CHAPTER 2
IT GOVERNANCE AND MANAGEMENT OF IT
 Course Agenda

• Learning Objectives
• Discuss Task and Knowledge Statements
• Discuss specific topics within the chapter
• Case studies
• Sample questions
 Exam Relevance
Ensure that the CISA candidate…
Understands and can provide assurance that the
organization has the structure, policies,
accountability mechanisms and monitoring practices
in place to achieve the requirements of corporate
governance of IT.

% of Total Exam Questions

The content area in this chapter
Chapter 1
will represent approximately Chapter 5
30%
14%

Chapter 2
14% of the CISA examination 14%

(approximately 28 questions). Chapter 4

23%
Chapter 3
19%
 Chapter 2 Learning Objectives

Evaluate the effectiveness of the IT governance structure to

determine whether IT decisions, directions and performance
support the organization’s strategies and objectives.

Evaluate IT organizational structure and human resources

(personnel) management to determine whether they support the
organization’s strategies and objectives.

Evaluate the IT strategy, including the IT direction, and the

processes for the strategy’s development, approval,
implementation and maintenance for alignment with the
organization’s strategies and objectives.
 Chapter 2 Learning Objectives
(continued)
Evaluate the organization’s IT policies, standards, and procedures,
and the processes for their development, approval,
implementation, maintenance, and monitoring, to determine
whether they support the IT strategy and comply with regulatory
and legal requirements.

Evaluate the adequacy of the quality management system to

determine whether it supports the organization’s strategies and
objectives in a cost-effective manner.

Evaluate IT management and monitoring of controls (e.g.,

continuous monitoring, quality assurance [QA]) for compliance with
the organization’s policies, standards and procedures.
 Chapter 2 Learning Objectives
(continued)

Evaluate IT resource investment, use and allocation practices,

including prioritization criteria, for alignment with the organization’s
strategies and objectives.

Evaluate IT contracting strategies and policies, and contract

management practices to determine whether they support the
organization’s strategies and objectives.

Evaluate risk management practices to determine whether the

organization’s IT-related risks are properly managed.
 Chapter 2 Learning Objectives
(continued)

Evaluate monitoring and assurance practices to determine whether

the board and executive management receive sufficient and timely
information about IT performance.

Evaluate the organization’s business continuity plan to determine

the organization’s ability to continue essential business operations
during the period of an IT disruption.
 2.2 Corporate Governance
• Ethical corporate behavior by directors or
others charged with governance in the creation
and presentation of value for all stakeholders
• The distribution of rights and responsibilities
among different participants in the corporation,
such as board, managers, shareholders and
other stakeholders
• Establishment of rules to manage and report on
business risks
 2.3 IT Governance

• Comprises the body of issues addressed in

considering how IT is applied within the
enterprise.
• Effective enterprise governance focuses on:
– Individual and group expertise
– Experience in specific areas
• Key element: alignment of business and IT
 2.3 IT Governance (continued)

• Two issues:
1. IT delivers value to the business
2. IT risks are managed
 Practice Question
2-1 In order for management to effectively monitor the
compliance of processes and applications, which of
the following would be the MOST ideal?
A. A central document repository
B. A knowledge management system
C. A dashboard
D. Benchmarking
 2.4 Information Technology
Monitoring and Assurance Practices
for Management

IT governance implies a system where all

stakeholders provide input into the decision
making process:
• Board
• Internal customers
• Finance
2.4.1 Best Practices for IT
Governance
 2.4.1 Best Practices for IT
Governance (continued)
IT governance has become significant due to:
• Demands for better return from IT investments
• Increases in IT expenditures
• Regulatory requirements for IT controls
• Selection of service providers and outsourcing
• Complexity of network security
• Adoptions of control frameworks
• Benchmarking
 2.4.1 Best Practices for IT
Governance (continued)
Audit role in IT governance

• Audit plays a significant role in the successful

implementation of IT governance within an
organization
• Reporting on IT governance involves auditing at
the highest level in the organization and may cross
division, functional or departmental boundaries
 2.4.1 Best Practices for IT
Governance (continued)
• In accordance with the defined role of the IS auditor, the
following aspects related to IT governance need to be
assessed:
– Alignment of the IS function with the organization’s mission,
vision, values, objectives and strategies
– Achievement of performance objectives established by the
business (e.g., effectiveness and efficiency) by the IS function
– Legal, environmental, information quality, fiduciary, security,
and privacy requirements
– The control environment of the organization
– The inherent risks within the IS environment
– IT investment/expenditure
 2.4.2 IT Strategy Committee

• The creation of an IT strategy committee is an

industry best practice
• Committee should broaden its scope to include
not only advice on strategy when assisting the
board in its IT governance responsibilities, but
also to focus on IT value, risks and
performance
 2.4.3 Standard
IT Balanced Scorecard
• A process management evaluation technique
that can be applied to the IT governance
process in assessing IT functions and
processes
• Method goes beyond the traditional financial
evaluation
• One of the most effective means to aid the IT
strategy committee and management in
achieving IT and business alignment
 2.4.4 Information
Security Governance
• Focused activity with specific value drivers
– Integrity of information
– Continuity of services
– Protection of information assets

• Integral part of IT governance

• Importance of information security governance
 2.4.4 Information Security
Governance (continued)
Importance of information security governance
• Information security (Infosec) covers all information
processes, physical and electronic, regardless of
whether they involve people and technology or
relationships with trading partners, customers and
third parties.
• Infosec is concerned with all aspects of information
and its protection at all points of its life cycle within
the organization.
 2.4.4 Information Security
Governance (continued)
Effective information security can add significant
value to an organization by:
• Providing greater reliance on interactions with
trading partners
• Improving trust in customer relationships
• Protecting the organization’s reputation
• Enabling new and better ways to process
electronic transactions
 2.4.4 Information Security
Governance (continued)
Outcomes of security governance
• Strategic alignment—align with business strategy
• Risk management—manage and execute appropriate
measures to mitigate risks
• Value delivery—optimize security investments
• Performance measurement – measure, monitor and report
on information security processes
• Resource management—utilize information security
knowledge and infrastructure efficiently and effectively
• Process integration – integration of management
assurance processes for security
 2.4.4 Information Security
Governance (continued)
Effective information security governance
• To achieve effective information security
governance, management must establish and
maintain a framework to guide the development
and management of a comprehensive information
security program that supports business objectives
• This framework provides the basis for the
development of a cost-effective information
security program that supports the organization’s
business goals.
 2.4.4 Information Security
Governance (continued)
Information security governance requires
strategic direction and impetus from:
• Boards of directors / senior management
• Senior management
• Steering committees
• Chief information security officers
 2.4.5 Enterprise Architecture

• Involves documenting an organization’s IT

assets in a structured manner to facilitate
understanding, management and planning for
IT investments
• Often involves both a current state and
optimized future state representation
 2.4.5 Enterprise
Architecture (continued)
The Basic Zachman Framework
Data Functional Network People Process Strategy

Scope
Enterprise Model

Systems Model

Technology
Model
Detailed
Representation
 2.4.5 Enterprise
Architecture (continued)
The Federal Enterprise Architecture (FEA)
hierarchy:
• Performance
• Business
• Service component
• Technical
• Data
 2.5.1 Strategic Planning

• From an IS standpoint, strategic planning

relates to the long-term direction an
organization wants to take in leveraging
information technology for improving its
business processes
• Effective IT strategic planning involves a
consideration of the organization’s demand for
IT and its IT supply capacity
 2.5.1 Strategic Planning
(continued)

• The IS auditor should pay attention to the

importance of IT strategic planning
• Focus on the importance of a strategic planning
process or planning framework
• Consider how the CIO or senior IT
management are involved in the creation of the
overall business strategy
 Practice Question
2-2 Which of the following would be included in an IS
strategic plan?
A. Specifications for planned hardware purchases
B. Analysis of future business objectives
C. Target dates for development projects
D. Annual budgetary targets for the IS department
 Practice Question
2-3 Which of the following BEST describes an IT department’s
strategic planning process?
A. The IT department will have either short-range or long-range
plans depending on the organization’s broader plans and
objectives.
B. The IT department’s strategic plan must be time- and project-
oriented, but not so detailed as to address and help determine
priorities to meet business needs.
C. Long-range planning for the IT department should recognize
organizational goals, technological advances and regulatory
requirements.
D. Short-range planning for the IT department does not need to
be integrated into the short-range plans of the organization
since technological advances will drive the IT department
plans much quicker than organizational plans.
 2.5.2 Steering Committee

• An organization’s senior management should

appoint a planning or steering committee to
oversee the IS function and its activities
• A high-level steering committee for information
technology is an important factor in ensuring
that the IS department is in harmony with the
corporate mission and objectives
 2.6 Maturity and Process
Improvement Models

• IDEAL model
• Capability Maturity Model Integration (CMMI)
• Team Software Process (TSP)
• Personal Software Process (PSP)
 2.7 IT Investment and
Allocation Practices

• Financial benefits – impact on budget and

finances
• Nonfinancial benefits – impact on operations or
mission performance and results
 2.8 Policies and Procedures

Reflect management guidance and direction in

developing controls over:
• Information systems
• Related resources
• IS department processes
 2.8.1 Policies

• High level documents

• Must be clear and concise
• Set tone for organization as a whole (top down)
• Lower-level policies – defined by individual
divisions and departments
 2.8.1 Policies (continued)
Information Security Policy
• Defines information security, overall objectives and
scope
• Is a statement of management intent
• Is a framework for setting control objectives
including risk management
• Defines responsibilities for information security
management
Acceptable Use Policy
 2.8.2 Procedures

Procedures are detailed documents that:

• Define and document implementation policies
• Must be derived from the parent policy
• Must implement the spirit (intent) of the policy
statement
• Must be written in a clear and concise manner
 2.9 Risk Management

The process of identifying vulnerabilities and

threats to the information resources used by an
organization in achieving business objectives.
• Avoid
• Mitigate
• Transfer
• Accept
 2.9.1 Developing a Risk
Management Program
To develop a risk management program:
• Establish the purpose of the risk management
program
• Assign responsibility for the risk management plan
 2.9.2 Risk Management
Process
• Identification and classification of information
resources or assets that need protection
• Assess threats and vulnerabilities and the
likelihood of their occurrence
• Once the elements of risk have been
established they are combined to form an
overall view of risk
 2.9.2 Risk Management
Process (continued)
• Evaluate existing controls or design new
controls to reduce the vulnerabilities to an
acceptable level of risk
• Residual risk
 2.9.2 Risk Management
Process (continued)
IT risk management needs to operate at
multiple levels including:
• The operational level
• The project level
• The strategic level
 2.9.3 Risk Analysis Methods
• Qualitative
• Semiquantitative
• Quantitative
– Probability and expectancy
– Annual loss expectancy method
 2.9.3 Risk Analysis
Methods (continued)
Management and IS auditors should keep in
mind certain considerations:
• Risk management should be applied to IT functions throughout
the company
• Senior management responsibility
• Quantitative RM is preferred over qualitative approaches
• Quantitative RM always faces the challenge of estimating risks
• Quantitative RM provides more objective assumptions
• The real complexity or the apparent sophistication of the
methods or packages used should not be a substitute for
commonsense or professional diligence
• Special care should be given to very high impact events, even if
the probability of occurrence over time is very low.
 2.10.1 Human Resource
Management
• Hiring
• Employee handbook
• Promotion policies
• Training
• Scheduling and time reporting
• Employee performance evaluations
• Required vacations
• Termination policies
 2.10.2 Sourcing Practices
• Sourcing practices relate to the way an
organization obtains the IS function required to
support the business
• Organizations can perform all IS functions in-
house or outsource all functions across the
globe
• Sourcing strategy should consider each IS
function and determine which approach allows
the IS function to meet the organization’s goals
 2.10.2 Sourcing Practices
(continued)

Outsourcing practices and strategies

• Contractual agreements under which an
organization hands over control of part or all of the
functions of the IS department to an external party
• Becoming increasingly important in many
organizations
• The IS auditor must be aware of the various forms
outsourcing can take as well as the associated
risks
2.10.2 Sourcing Practices
(continued)
 2.10.2 Sourcing Practices
(continued)

Globalization practices and strategies

• Requires management to actively oversee the remote or
offshore locations
• The IS auditor can assist an organization in moving IS
functions offsite or offshore by ensuring that IS
management considers the following:
– Legal, regulatory and tax issues
– Continuity of operations
– Personnel
– Telecommunication issues
– Cross-border and cross-cultural issues
 2.10.2 Sourcing Practices
(continued)

Governance in outsourcing
• Mechanism that allows organizations to transfer
the delivery of services to third parties
• Accountability remains with the management of the
client organization
• Transparency and ownership of the decision-
making process must reside within the purview of
the client
 2.10.2 Sourcing Practices
(continued)

Third-party service delivery management

• Every organization using the services of third parties
should have a service delivery management system
in place to implement and maintain the appropriate
level of information security and service delivery in
line with third-party service delivery agreements
• The organization should check the implementation of
agreements, monitor compliance with the
agreements and manage changes to ensure that the
services delivered meet all requirements agreed to
with the third party.
 2.10.3 Organizational
Change Management

What is change management?

• Managing IT changes for the organization
– Identify and apply technology improvements at the
infrastructure and application level
 2.10.4 Financial Management
Practices

• User-pays scheme – chargeback

• IS budgets
 2.10.5 Quality Management
• Software development, maintenance and
implementation
• Acquisition of hardware and software
• Day-to-day operations
• Service management
• Security
• Human resource management
• General administration
 Practice Question
2-4 The MOST important responsibility of a data security
officer in an organization is:
A. recommending and monitoring data security policies.
B. promoting security awareness within the organization.
C. establishing procedures for IT security policies.
D. administering physical and logical access controls.
 Practice Question
2-5 What is considered the MOST critical element for the
successful implementation of an information security
(IS) program?
A. An effective enterprise risk management (ERM)
framework
B. Senior management commitment
C. An adequate budgeting process
D. Meticulous program planning
 2.10.7 Performance
Optimization

• Process driven by performance indicators

• Optimization refers to the process of improving
the productivity of information systems to the
highest level possible without unnecessary,
additional investment in the IT infrastructure
 2.10.7 Performance
Optimization (continued)
Five ways to use performance measures:
• Measure products/services
• Manage products/services
• Assure accountability
• Make budget decisions
• Optimize performance
 Practice Question
2-6 An IS auditor should ensure that IT governance
performance measures:
A. evaluate the activities of IT oversight committees.
B. provide strategic IT drivers.
C. adhere to regulatory reporting standards and definitions.
D. evaluate the IT department.
 2.10 IS Organizational
Structure and Responsibilities
 2.11.1 IS Roles and
Responsibilities
• Systems development manager

• Project management

• Service Desk (help desk)

• End user

• End user support manager

 2.11.1 IS Roles and
Responsibilities (continued)

• Data management

• Quality assurance manager

• Information security manager

 2.11.1 IS Roles and
Responsibilities (continued)
• Vendor and outsourcer management
• Infrastructure operations and maintenance
• Media management
• Data entry
• Systems administration
• Security administration
• Quality assurance
 2.11.1 IS Roles and
Responsibilities (continued)
• Database administration
• Systems analyst
• Security architect
• Applications development and maintenance
• Infrastructure development and maintenance
• Network management
 2.11.2 Segregation of
Duties Within IS
• Avoids possibility of errors or misappropriations
• Discourages fraudulent acts
• Limits access to data
2.11.2 Segregation of Duties
Within IS (continued)
 Practice Question
2-7 Which of the following tasks may be performed by
the same person in a well-controlled information
processing computer center?
A. Security administration and change management
B. Computer operations and system development
C. System development and change management
D. System development and systems maintenance
 Practice Question
2-8 Which of the following is the MOST critical control
over database administration?
A. Approval of DBA activities
B. Segregation of duties
C. Review of access logs and activities
D. Review of the use of database tools
 2.11.3 Segregation of Duties
Controls
Control measures to enforce segregation of
duties include:
• Transaction authorization
• Custody of assets
• Access to data
– Authorization forms
– User authorization tables
 2.11.3 Segregation of Duties
Controls (continued)
Compensating controls for lack of segregation of
duties include:

• Audit trails
• Reconciliation
• Exception reporting
• Transaction logs
• Supervisory reviews
• Independent reviews
 Practice Question
2-9 When a complete segregation of duties cannot be
achieved in an online system environment, which of
the following functions should be separated from
the others?
A. Origination
B. Authorization
C. Recording
D. Correction
 Practice Question
2-10 In a small organization, where segregation of duties
is not practical, an employee performs the function
of computer operator and application programmer.
Which of the following controls should an IS auditor
recommend?
A. Automated logging of changes to development libraries
B. Additional staff to provide segregation of duties
C. Procedures that verify that only approved program
changes are implemented
D. Access controls to prevent the operator from making
program modifications
 2.12 Auditing IT Governance
Structure and Implementation
Indicators of potential problems include:
• Unfavorable end-user attitudes
• Excessive costs
• Budget overruns
• Late projects
• High staff turnover
• Inexperienced staff
• Frequent hardware/software errors
 2.12.1 Reviewing
Documentation
The following documents should be reviewed:
• IT strategies, plans and budgets
• Security policy documentation
• Organization/functional charts
• Job descriptions
• Steering committee reports
• System development and program change procedures
• Operations procedures
• Human resource manuals
• Quality assurance procedures
 2.12.2 Reviewing Contractual
Commitments
There are various phases to computer hardware,
software and IS service contracts, including:
• Development of contract requirements and service
levels
• Contract bidding process
• Contract selection process
• Contract acceptance
• Contract maintenance
• Contract compliance
 2.13 Business Continuity
Planning

• Business continuity planning (BCP) is a process

designed to reduce the organization’s business
risk
• A BCP is much more than just a plan for the
information systems
 2.13 Business Continuity
Planning (continued)
Corporate risks could cause an organization to
suffer
• Inability to maintain critical customer services
• Damage to market share, reputation or brand
• Failure to protect the company assets including
intellectual properties and personnel
• Business control failure
• Failure to meet legal or regulatory requirements
 2.13.1 IS Business Continuity
Planning

IS processing is of strategic importance

• Critical component of overall BCP
• Most key business processes depend on the
availability of key systems and infrastructure
components
 2.13.2 Disasters and Other
Disruptive Events

• Disasters are disruptions that cause critical

information resources to be inoperative for a
period of time
• Good BCP will take into account impacts on IS
processing facilities
2.13.3 Business Continuity
Planning Process
 2.13.4 Business Continuity
Policy

• Defines the extent and scope of business

continuity for both internal and external
stakeholders
• Should be proactive
 2.13.5 Business Continuity
Planning Incident Management

All types of incidents should be categorized

• Negligible
• Minor
• Major
• Crisis
 2.13.5 Business Continuity
Planning Incident Management
 2.13.6 Business Impact
Analysis
• Critical step in developing the business continuity
plan
• Three main questions to consider during BIA
phase:
– What are the different business processes?
– What are the critical information resources related to
an organization’s critical business processes?
– What is the critical recovery time period for information
resources in which business processing must be
resumed before significant or unacceptable losses are
suffered?
2.13.6 Business Impact
Analysis (continued)
 2.13.6 Business Impact
Analysis (continued)
What is the system’s risk ranking?
• Critical
• Vital
• Sensitive
• Non-sensitive
 2.13.7 Development of
Business Continuity Plans
Factors to consider when developing the plans:
• Predisaster readiness covering incident response management to
address all relevant incidents affecting business processes
• Evacuation procedures
• Procedures for declaring a disaster (escalation procedures)
• Circumstances under which a disaster should be declared.
• The clear identification of the responsibilities in the plan
• The clear identification of the persons responsible for each function in
the plan
• The clear identification of contract information
• The step-by-step explanation of the recovery process
• The clear identification of the various resources required for recovery
and continued operation of the organization
 2.13.8 Other Issues in
Plan Development
• Management and user involvement is vital to
the success of BCP
– Essential to the identification of critical systems,
recovery times and resources
– Involvement from support services, business
operations and information processing support
• Entire organization needs to be considered for
BCP
 2.13.9 Components of a
Business Continuity Plan
A business continuity plan may consist of more
than one plan document
• Continuity of operations plan (COOP)
• Disaster recovery plan (DRP)
• Business resumption plan
• Continuity of support plan / IT contingency plan
• Crisis communications plan
• Incident response plan
• Transportation plan
• Occupant emergency plan (OEP)
• Evacuation and emergency relocation plan
 2.13.9 Components of a Business
Continuity Plan (continued)

Components of the plan

• Key decision-making personnel
• Backup of required supplies
• Insurance
 2.13.9 Components of a Business
Continuity Plan (continued)
• Insurance
– IS equipment and facilities
– Media (software) reconstruction
– Extra expense
– Business interruption
– Valuable papers and records
– Errors and omissions
– Fidelity coverage
– Media transportation
 2.13.10 Plan Testing

• Schedule testing at a time that will minimize

disruptions to normal operations
• Test must simulate actual processing conditions
• Test execution:
– Documentation of results
– Results analysis
– Recovery / continuity plan maintenance
 2.13.11 Summary of Business
Continuity

• Business continuity plan must:

– Be based on the long-range IT plan

– Comply with the overall business continuity strategy

 2.13.11 Summary of Business
Continuity and Disaster Recovery
(continued)

• Process for developing and maintaining the BCP/DRP

– Conduct risk assessment
– Prepare business impact analysis
– Choose appropriate controls and measures for recovering
IT components to support the critical business processes
– Develop the detailed plan for recovering IS facilities (DRP).
– Develop a detailed plan for the critical business functions to
continue to operate at an acceptable level (BCP).
– Test the plans
– Maintain the plans as the business changes and systems
develop.
 2.14 Auditing Business
Continuity
• Understand and evaluate business continuity
strategy
• Evaluate plans for accuracy and adequacy
• Verify plan effectiveness
• Evaluate offsite storage
• Evaluate ability of IS and user personnel to
respond effectively
• Ensure plan maintenance is in place
• Evaluate readability of business continuity manuals
and procedures
 2.14.1 Reviewing the Business
Continuity Plan
IS auditors should verify that basic elements of a
well-developed plan are evident including:
• Currency of documents
• Effectiveness of documents
• Interview personnel for appropriateness and
completeness
 2.14.2 Evaluation of Prior
Test Results
IS auditors must review the test results to:
• Determine whether corrective actions are in the
plan
• Evaluate thoroughness and accuracy
• Determine problem trends and resolution of
problems
 2.14.3 Evaluation of Offsite
Storage
An IS auditor must:
• Evaluate presence, synchronization and currency
of media and documentation
• Perform a detailed inventory review
• Review all documentation
• Evaluate availability of facility
 2.14.4 Interviewing Key
Personnel

• Key personnel must have an understanding of

their responsibilities
• Current detailed documentation must be kept
 2.14.5 Evaluation of Security at
Offsite Facility

An IS auditor must:
• Evaluate the physical and environmental access
controls
• Examine the equipment for current inspection and
calibration tags
 2.14.6 Reviewing Alternative
Processing Contract

• An IS auditor should obtain a copy of the

contract with the vendor
• The contract should be reviewed against a
number of guidelines
– Contract is clear and understandable
– Organization’s agreement with the rules
 2.14.7 Reviewing Insurance
Coverage
• Insurance coverage must reflect actual cost of
recovery
• Coverage of the following must be reviewed for
adequacy
– Media damage
– Business interruption
– Equipment replacement
– Business continuity processing
 Case Study A Scenario
An IS auditor has been asked to review the draft of an
outsourcing contract and SLA and recommend any
changes or point out any concerns prior to these being
submitted to senior management for final approval. The
agreement includes outsourcing support of Windows and
UNIX server administration and network management to a
third party.

Servers will be relocated to the outsourcer’s facility that is

located in another country, and connectivity will be
established using the Internet. Operating system software
will be upgraded on a semiannual basis, but it will not be
escrowed. All requests for addition or deletion of user
accounts will be processed within three business days.
 Case Study A Scenario
(continued)
Intrusion detection software will be continuously monitored
by the outsourcer and the customer notified by e-mail if any
anomalies are detected. New employees hired within the
last three years were subject to background checks. Prior
to that, there was no policy in place.

A right to audit clause is in place, but 24-hour notice is

required prior to an onsite visit. If the outsourcer is found to
be in violation of any of the terms or conditions of the
contract, it will have 10 business days to correct the
deficiency. The outsourcer does not have an IS auditor, but
it is audited by a regional public accounting firm.
 Case Study A Question
1. Which of the following should be of MOST concern to
the IS auditor?
A. User account changes are processed within three
business days.
B. Twenty-four hour notice is required prior to an onsite
visit.
C. The outsourcer does not have an IS audit function.
D. Software escrow is not included in the contract.
 Case Study A Question
2. Which of the following would be the MOST significant
issue to address if the servers contain personally
identifiable customer information that is regularly
accessed and updated by end users?
A. The country in which the outsourcer is based prohibits
the use of strong encryption for transmitted data.
B. The outsourcer limits its liability if it took reasonable
steps to protect the customer data.
C. The outsourcer did not perform background checks for
employees hired over three years ago.
D. System software is only upgraded once every six
months.
 Case Study B Scenario
An organization has implemented an integrated application
for supporting business processes. It has also entered into
an agreement with a vendor for application maintenance
and providing support to the users and system
administrators. This support will be provided by a remote
vendor support center using a privileged user ID with O/S
level super user authority having read and write access to
all files. The vendor will use this special user ID to log on to
the system for troubleshooting and implementing
application updates (patches). Due to the volume of
transactions, activity logs are only maintained for 90 days.
 Case Study B Question
1. Which of the following is a MAJOR concern for the IS
auditor?
A. User activity logs are only maintained for 90 days.
B. The special user ID will access the system remotely.
C. The special user ID can alter activity log files.
D. The vendor will be testing and implementing patches on
servers.
 Case Study B Question
2. Which of the following actions would be MOST
effective in reducing the risk that the privileged user
account may be misused?
A. The special user ID should be disabled except when
maintenance is required.
B. All usage of the special user account should be logged.
C. The agreement should be modified so that all support is
performed onsite.
D. All patches should be tested and approved prior to
implementation.
 Case Study C Scenario
An IS auditor was asked to review alignment between IT and
business goals for a small financial institution. The IS auditor
requested various information including business goals and
objectives and IT goals and objectives. The IS auditor found that
business goals and objectives were limited to a short bulleted list,
while IT goals and objectives were limited to slides used in
meetings with the CIO (the CIO reports to the CFO). It was also
found in the documentation provided that over the past two years,
the risk management committee (composed of senior management)
only met on three occasions, and no minutes of what was discussed
were kept for these meetings. When the IT budget for the upcoming
year was compared to the strategic plans for IT, it was noted that
several of the initiatives mentioned in the plans for the upcoming
year were not included in the budget for that year.
 Case Study C Question
1. Which of the following should be of GREATEST
concern to the IS auditor?
A. Strategy documents are informal and incomplete.
B. The risk management committee seldom meets and
does not keep minutes .
C. Budgets do not appear adequate to support future IT
investments.
D. The CIO reports to the CFO.
 Case Study C Question
2. Which of the following would be the MOST significant
issue to address?
A. The prevailing culture within IT.
B. The lack of information technology policies and
procedures.
C. The risk management practices as compared to peer
organizations.
D. The reporting structure for IT.
 Case Study D Scenario
An IS Auditor is auditing the IT governance practices for
an organization. During the course of the work, it is noted
that the organization does not have a full time chief
Information officer (CIO). The organization chart of the
entity provides for an information systems manager
reporting to the chief financial officer (CFO), who in turn
reports to the board of directors. The board plays a major
role in monitoring IT initiatives in the entity and the CFO
communicates on a frequent basis the progress of IT
initiatives.
 Case Study D Scenario (cont’d)
From reviewing the segregation of duties matrix, it is
apparent that application programmers are only required to
obtain approval from the data base administrator (DBA) to
directly access production data. It is also noted that the
application programmers have to provide the developed
program code to the program librarian, who then migrates
it to production. Information systems audits are carried out
by the internal audit department, which reports to the CFO
at the end of every month, as part of business
performance review process; the financial results of the
entity are reviewed in detail and signed off by the business
managers for correctness of data contained therein.
 Case Study D Question
1. Given the circumstances described, what would be of
GREATEST concern from an IT governance
perspective?
A. The organization does not have a full-time CIO.
B. The organization does not have an IT steering
committee.
C. The board of the organization plays a major role in
monitoring IT initiatives.
D. The information systems manager reports to the CFO.
 Case Study D Question
2. Given the case, what would be of GREATEST
concern from a segregation of duties perspective?
A. Application programmers are required to obtain
approval only from the DBA for direct write access to
data.
B. Application programmers are required to turn over the
developed program code to the program librarian for
migration to production.
C. The internal audit department reports to the CFO.
D. Business performance reviews are required to be
signed off only by the business managers.
 Case Study D Question
3. Which of the following would BEST address data
integrity from a mitigating control standpoint?
A. Application programmers are required to obtain
approval from DBA for direct access to data.
B. Application programmers are required to hand over the
developed program codes to the program librarian for
transfer to production.
C. The internal audit department reports to the CFO.
D. Business performance results are required to be
reviewed and signed off by the business managers.
 Case Study E Scenario
An organization is developing revised business continuity (BCPs) and
disaster recovery plans (DRPs) for its headquarters facility and network
of 16 branch offices. The current plans have not been updated in more
than eight years, during which time the organization has grown by over
300 percent. At the headquarters facility, there are approximately 750
employees. These individuals connect over a local area network to an
array of more than 60 application, database and file print servers located
in the corporate data center and over a frame relay network to the
branch offices. Traveling users access corporate systems remotely by
connecting over the Internet using virtual private networking. Users at
both headquarters and the branch offices access the Internet through a
firewall and proxy server located in the data center. Critical applications
have a recovery time objective (RTO) of between three and five days.
Branch offices are located between 30 and 50 miles from one another,
with none closer to the headquarters’ facility than 25 miles.
 Case Study D Scenario (cont’d)
Each branch office has between 20 and 35 employees plus a mail server
and a file/print server. Backup media for the data center are stored at a
third-party facility 35 miles away. Backups for servers located at the
branch offices are stored at nearby branch offices using reciprocal
agreements between offices. Current contracts with a third party hot site
provider include 25 servers, work area space equipped with desktop
computers to accommodate 100 individuals, and a separate agreement
to ship up to two servers and 10 desktop computers to any branch office
declaring an emergency. The contract term is for three years, with
equipment upgrades occurring at renewal time.
The hot site provider has multiple facilities throughout the country in case
the primary facility is in use by another customer or rendered unavailable
by the disaster. Senior management desires that any enhancements be
as cost effective as possible.
 Case Study E Question
1. On the basis of the above information, which of the
following should the IS auditor recommend
concerning the hot site?
A. Desktops at the hot site should be increased to 750.
B. An additional 35 servers should be added to the hot site
contract.
C. All backup media should be stored at the hot site to
shorten the RTO.
D. Desktop and server equipment requirements should be
reviewed quarterly.
 Case Study E Question
2. Given the case, what would be of GREATEST
concern from a segregation of duties perspective?
A. Application programmers are required to obtain
approval only from the DBA for direct write access to
data.
B. Application programmers are required to turn over the
developed program code to the program librarian for
migration to production.
C. The internal audit department reports to the CFO.
D. Business performance reviews are required to be
signed off only by the business managers.
 Conclusion

• Chapter 2 Quick Reference Review

– Pages 86 - 87 of CISA Review Manual 2012