Pass Your Isaca CISA Exam Easy!

Isaca CISA Certified Information Systems Auditor exam dumps vce, practice test questions, study guide & video training course to study and pass quickly and easily. Isaca CISA Certified Information Systems Auditor exam dumps & practice test questions and answers. You need avanset vce exam simulator in order to study the Isaca CISA certification exam dumps & Isaca CISA practice test questions in vce format.

Lesson 2

1. IT Governance

One of the things you really need to be comfortable with as an IS auditor is this concept of IT governance. How are they actually running their IT department? There is a department; is it really supporting the business objectives? Are they managing all of their resources and assets, not just having disaster recovery plans, but how are they running the entire IT Department? So, when we take a look here at its governance, you want to evaluate: Is its governance effective? And look at It visa viathe whole It organisational structure. not just the company's organisational structure but the whole organisational structure. Starting with the CIO on the job, evaluate the IT strategy. The IT strategy has got to support the business objective. Evaluate all the standards, policies, and procedures. Are we compliant with all of these? Make sure that the organisation is compliant—not just the It Department, but also the organisation itself. Is the It Department compliant in a way that supports the organization? How about their investment and resource allocation and use practices? Evaluate those. Are they being wise about what theyacquire in terms of resources, hardware, software,personnel, and how they're using them? Look at how they contract outside labour or how they integrate other parts of their company. Look at their risk management practices, and are those in line with the overall appetite for risk for the entire business? And then also their performance, monitoring, and assurance? Look at all of these practises when you are auditing the IT Department and looking at their IT governance. So there are several kinds of concepts for governance. First of all, there's the idea of enterprise governance and the best practises and use of controls that provide assurance that the business is on track. And that's what we're doing as an IT department, which supports the business objectives. And then corporate governance: are we doing what is legally required by regulation or what is socially required? Are we being good corporate citizens as a business? And so what is our strategic direction there? And, of course, there's the issue of governance. Is everything we're doing best practise to ensure that everything is supporting the whole business strategy, goals, and objectives? Its governance has areas of focus areas.You should be aware of this strategy. We need to link its function with business functions and enterprise functions to meet business objective value.Anything we buy or anything we do as an IT department has to have business value. It has to promise some kind of benefit to the enterprise. resource usage, proper and wise investment in systems, applications, information, personnel, risk, awareness of risk, and risk management, so we can apply effective controls and mitigate or minimise risk, and also track performance and measure results. One thing that a lot of companies do, especially the larger ones, is use something called an "It Balanced Scorecard." And the scorecard is really an excellent governance evaluation tool. Basically, it allows you to track its functions and processes and just see the results of what we're doing. How well are we doing, So we can see. Is anything red right now? Is anything yellow? How much is green? It could also be internal data collection. You can use satisfaction surveys. What are our capabilities in evaluating our processes? And, you know, I've been at organizations, large organizations, where on the company intranet website, you can see right there on the main website page, basically an overall balance sheet of the company and the projects. and what percentage of them are red, what percentage are yellow, and what percentage are green (on track). And so then, if you're curious, you can click and drill down farther. There are frameworks for IT governance, and so here are some examples. You don't need to memorise these, but you need to know that they exist. And in general, what are they for? We have COBIT, which is currently in version 5, and we know it's the control objectives for it, and it's really the business framework for enterprise governance and management. It. There's an ITIL problem. And that is the Information Technology Infrastructure Library. And the whole idea behind that is that it is the most widely adopted approach for IT service management. It's really no nonsense; step by step, this is how we're going to do it. It's a practical framework for identifying, planning, delivering, and supporting IT services. There's ISO 27001:2004. Actually, there's a 27,000 series. And this is a formal specification for management systems, so that information security is explicitly under management control. Then you can be certified as ISO 27001 compliant. You can be formally audited and certified as compliant with that standard. There's also ISO/IEC 38500, which is principles for directors, and that's owners, board members, directors, and senior executives, for when we evaluate, direct, monitor, and use it in our organizations, it is no longer just a cost center. Its whole purpose is to enable the business to deliver value and to make money. So it is now up to the supporting infrastructure for the business to do its job. It's not just a cost. If you're wondering how some of these relate, some people have said, "Well, since ISO 3500 is really from the top down, the aerial view from the directors, board of directors, and really high-level folks that can be viewed like the roof of a house, and then Kobet is the walls, and then Italy, low processes are like the foundation," Again, you don't need to memorise this; just kind of see how they relate to each other. The balanced scorecard is now a tool in balanced, or rather in IT governance frameworks. And I've seen really big ones. They're basically spreadsheets, and they have all these sections. We're doing this, this, and then in this section, this. And then you can see if it is red, green, or yellow. So you can see how much red there is. And like in a whole project, you can see whole departments across it and whole sections, and you can see how much red there is. So we can see if it's on track or not. And there's also something called Six Sigma. Six Sigma. It's a method for trying to achieve near perfection. What it is is a very disciplined approach to getting rid of errors in processes and getting rid of variability in processes. And the process can be a business process or even a manufacturing process. But basically, we're trying to standardize, get rid of errors, get rid of variability, and try to come as close to perfection as we can. Here is one example of a balanced scorecard. So we can see here that we've got the key goal indicators, the KGI, here, and we can see that we are greater than 99%, a target of assets covered by systematic risk assessment. Or our target has to be greater than 99%. Our actual is at 98%, so we're not totally green yet, and we're still yellow. or the number of personnel vacancies in security roles. The goal is to have no one. In actuality, there is one vacancy, so therefore the status is "yellow," or the time taken to grant a change and remove access privilege. We don't want it to be more than 2 hours. Right now the actual is 1.5, so we'regood, we're we're on target or percentage ofagents covered by effective security awareness. target is 100%. Actually, we're at 99% for yellow. Let's skip down here to a "red" number of systems where security requirements are not met. maximum was two, but when we did our audit, it was five. So we've definitely read that we're not close there, where we're quite off average in our turnaround time for an incident. Our goal is to have it done in two hours, but it's taking two hours and 25 minutes. So there is room for improvement in the number of pending actions to meet response and recovery requirements. Goal is to have no more than five. We're actually at ten, so therefore we're ready. So we can see all of our key goals and how close we are to achieving them at a glance. and it's a very common tool to use. And you just set up a spreadsheet and you list out all of these key goal indicators, and then you have what's the target, what's the actual, and then a visual, usually just the red, green, and yellow, to see the status really quickly at a glance. Another thing we need to look at is quality management. Because businesses are worried about quality, they're worried about the quality not only of the products they put out but also of their processes. So we're looking at the control methods for quality management; we're looking at the assurance practices. So how do you assure that you are meeting your quality goals, and what improvement techniques do you have, or do you just keep on doing the same old thing? So we want to look at how they manage their quality assurance and quality control. So the quality management system is going to be made up of documents and processes and manuals. We should look at it. Is it effective? Is it efficient? And are there standards that can help us guide management through this whole process, and are they aware of them? There's also going to be a financial management system for developing budgets and forecasting and monitoring and analysing what we have. And the IT department will have this as well. So we want to look at their financial management system. We want to look at their security information and security management system. Are they doing business impact analysis of core IT functions, applications, and services? Do they have business continuity and disaster recovery, and are they managing risk? We want to look at that. We also want to see how they're managing HR from an IS perspective. Hiring people, training them in the handbook, what the promotion is, what the general training is, how they schedule and how we report, how much time people put in? What are the performance evaluations? Do we have required vacations not only to give people a break, but also to kind of rotate people around and not give them a chance to hide too many irregularities? And what's the policy for termination? We need to look at all of this as well. So when we're evaluating the effectiveness of IT governance, we want to look at the goals and objectives of all the types of governance applied to the business, the enterprise, corporate, and information security. We want to verify that the IT governance framework applies to that type of business. We want to ensure that the proper management systems and roles have been assigned and that those roles are doing what they're supposed to do, and we want to see what the control environment is in the organization, make sure that those controls are applied properly, verify that the procedures and processes are applied correctly, and assess the achievement of the performance objectives. Are business leaders on all levels meeting their objectives? The next thing we're going to talk about is vendor and outsource management.

2. Outsourcing and Governance

Let's continue on with our discussion of IT governance, and let's talk about outsourcing. Most larger organisations outsource to some degree or another,we've all known what it's like to get telemarketingcalls or support calls, or collections calls from anoutsourced vendor, especially one that's offshore, so that thecompany can have like a 24 hours shop. And so at night, when it's night here and people are sleeping here, there's another shop fully operational on the other side of the world. When you outsource or you hire vendors, which almost everybody is going to do some way or another, there's got to be some management of that as well. And that vendor or outsourcer management will communicate with the vendors or outsourcers, manage the relationship, ensure we have the level of support we require, communicate issues and project-related issues. And we'll provide service-level reports to management and upper management, as well as review contracts in our infrastructure, operations, and maintenance. We'll have an operations manager who is responsible for computer operations personnel and the security of the computer room. Larger organisations will break out these roles like this. In smaller organizations, you might wear many hats, but in a larger organization, you might have just an operations manager for the computer room, computer operations, and computer security. And then you'll have a control group, and they're responsible for actually doing the input and output of the data. For the user community, you might have someone who manages just the media. They're the tape librarian, and all the backups go to them. And they don't themselves do any backups or restore anything, but they're the custodians of the tapes, the media, the sources, the source code, or the source discs for applications and operating systems. And they'll be responsible for all theremovable media, for recording it, storing it, issuing it, documenting it, and maintaining it. You'll also have data entry. Realize that not all data entry involves someone sitting there actually typing. You can have much more automated data entry like point of sale, cash registers, barcode scanning, or even something really big like a SCADA system for supervisory control and data acquisition. SCADA is something for large plant processes like heating, ventilating, and air conditioning. It could also happen in power plants, airports, or waste treatment facilities. So you can have big automated systems that are also collecting data about the system. It could be on the manufacturing floor. So it's not just individual people inputting data or taking customer information on the phone. It could be automated or semi automated.And this data entry can be collected and then just put into huge batch processes at night. And so you want to be looking at where all the data is coming from, and where is all the data entry—is it automated by individuals? And look at it and see if anyone's checking to make sure this data is actually correct. You have a variety of different IT administrators. In a smaller organization, one person may wear all hats, or there may be two. But in a larger organization, you'll have someone managing the servers and the systems. Someone or someones will be in charge of just security, and someone or someones will be in charge of just the database. The database administrator determines who has access to the database and makes sure that the database management system is running properly. You'll also have a network person or people. You'll also have quality assurance. And in quality assurance, we're just trying to make sure that at every stage, things are as they should be, so that we don't get too far down the line here. Oh, there's a problem, but each stage serves as a checkpoint to ensure that we can keep going and that all functions are functioning properly, and that we won't discover a problem later on. Also, when we talk about quality assurance, you're going to want to look at the responsibilities and who's managing it. So is quality assurance responsibilities? Well, let's maintain our department standards. Let's support the development of applications or systems. Let's make sure that the data that is being processed retains its integrity and remains accurate, and let's continue to develop and deliver quality assurance standards, procedures, and training. Now, in a larger organization, you'll see a very common role. It is typically an entry-level position known as a systems analyst. Sometimes they're called business analysts, and sometimes they're called business systems analysts. But it's usually something analysts do. These are the people; they are not necessarily highly technical, such as programmers or application developers, but they serve as the link between users and what they require and developers. So if you work in the software development lifecycle or system development lifecycle, like I have and do, you have people who work with the end users and try to understand what it is that the end user really needs. Then these people, these analysts, understand enough about the process and system development to articulate it in such a way that the actual programmer, developer, or app developer can simply implement it. So this is the go-between: the end user and the people who are developing applications, because large organisations frequently develop their own applications because you can't just buy what you need off the shelf. So you've got in-house development. So when we are looking at system analysts, we need to see that these are the folks who are researching, planning, and designing high-level systems and software, and they're preparing these high-level documents so that the programmers can understand exactly what they need to prepare. And also, they're working with the users to make sure they are satisfied, even setting up user training. The security architect is someone who is responsible for designing all of the security. And so we're planning it, designing it, recreating it, and evaluating all of our security systems. We're developing a security policy; we're applying the requirements. and the security architect will work with the IS auditor to incorporate. If the auditor says, "Oh, did you look at this? Maybe you missed that," then the architect can incorporate that feedback into the plans. Obviously, the security architect and the auditor should never be the same person. They should be completely independent of each other. And the reason why you don't audit your own stuff except just in the beginning is because it's just like you don't proofread your own writing because you'll miss something, something that you're so used to, that you just glaze over it and don't even see it. Then you have the application developer. Like I said, most large organisations develop their own applications. Or maybe it's not to be used in houses per se, but it's a product that's going to be sold. And so if it's an in-house thing, you're probably working with the business analysts, or the BSAs, or BAs, or whatever you want to call them, to understand what it is the end users need. And now the app developers are actually writing the code to develop whatever this application is. The infrastructure person, the infrastructure developer, is the person who's going to be responsible for setting up desktops, hardware, networking, and making sure that operating systems are installed. And so they're not developing applications, butthey're putting together systems and making surethat all of the It infrastructure isfunctioning from desktops to communications. Something that's really critical that the IS auditor needs to be aware of and be looking for is something called separation of duties or segregation of duties. The bottom line of segregation of duties is that you don't want one person who has the opportunity and enough different roles that they play to give them the opportunity to commit misconduct, irregularities, or something else while also being able to hide it. There must be sufficient separations to necessitate collusion. It takes, like, two or three people working together to perpetrate something like this. So, for example, I'm not a developer and an auditor. I'm not a developer or a tester. I don't backup and restore. I don't have the ability to sign a check or determine when it's okay to even issue a check. I don't decide when to buy and what to buy at the same time without someone else reviewing it. So there's always got to be some interjection by somebody else so that I can't deliberately do things and hide them. That's the whole idea behind segregation and separation of duties. We don't want one individual to have too much power or responsibility so that they can perpetrate fraud or misconduct or irregularities of any kind. So when we talk about segregation of duties, we'relooking at who has the authority to authorise differenttasks, who manages transactions and records them? who controls the assets, sources them, or has custody of whatever. So these are the things that we want to be looking at, making sure that they're segregated into different mechanisms. So we want to make sure that if you're going to do a transaction, it's got to be authorised by someone else. If you're going to have custody of assets, you can't use them; somebody else uses them, and you just simply take care of them. If you have access to data, maybe you can write, but you can't read, or vice versa. Or maybe you can read and write, but you can't delete. Or it takes a supervisor to override something in order to sort of compensate for this. We have a concept called compensating controls. Compensating controls just make sure that we interject somebody else in there. We have audit trails; we have independent reconciliation of records; we have independent verification. We have exception reports, we have transaction logs, we have supervisory review, we have forced vacations, we have rotation of job duties, and we have separation of job duties. all these things to make sure there's no opportunity for fraud or for people to hide irregularities. So when we're evaluating the organisational structure, you need to review the ORG chart and the job descriptions to identify key roles and responsibilities. Are people actually doing what they're supposed to do? Look at the key functions on the job. Make sure that the job description and the structures are adequate, or are you missing something? Hey, who's doing this? Nobody's doing this. Look for those kinds of gaps and holes and verify that there is proper segregation of duties and controls within the IT department. The next thing we're going to talk about is its strategy.

3. Security Policies

Continuing our conversation on IT governance, let's talk about the components of an information security policy. When you look at the information security policy, remember how we talked earlier that the policy can be as simple as just a page with a few paragraphs or can be 100 pages with all kinds of subparts. We saw that we can go to SANS.org and download policy templates that we can use as sort of a framework to develop our own security policy. As an IS auditor, when I ask to see the IS security policy, I expect to see a definition of what IS security is and what the policy objectives and scope are. I want to understand management's philosophy on security and their appetite for risk. I want to understand their role in incident reporting and what control framework they're actually using—what kinds of controls. I want to understand their whole organisational practise and process. I want to understand how they intend to educate, train, and continue to train employees, how they intend to enforce their security plans, and how they intend to evaluate the plans. and also any additional resources and documentation. I want to see all of it. So, different policy types We know that the policy can have many subparts, and we saw that it could be anything from mobile to authentication to server to patch management. Here are some examples. There can be a sort of overall policy for how we classify data and what's considered acceptable use, like you're not allowed to use email for private purposes. Realize that the company could look at your emailor anything you create on company property is notcompletely private and there are some grey areas. There is, of course, also the end user and access control. So, depending on what is appropriate for your organisation in terms of policy maintenance, your policy will include these and many, many other topics. You can't just write a policy once and expect it to last forever. That policy should be reviewed every year if possible and updated because threats will change and the nature of your business will change. So you should see if people are reviewing their policies on a regular basis. I want to see when the last time you reviewed this was. When did you update it? Why did you update it? And let me just see, what is your requirement for reviewing and updating? What did you add? What did you delete or retire or phase out? And above all, I want to see you document these. So, like, this paragraph has nowbeen superseded by that paragraph. And it's good to have an old one and a new one, or to have the old one with the new one. The old one, as you see it, has the lines struck out, and then you see the new paragraphs underneath it. So you can see the before and after right there. So these are different ways. I want to actually track the change control on this. So when we have standards, remember it all starts with a policy. The policy then may refer to standards, which, remember, are mandatory. The required procedures are: how do we actually implement this? And remember, of course, guidelines are suggested practises to help us implement our standards in our policy. Policy should acknowledge any regulatory or legislative issues. So, like, do you fall underneath socks or do you fall underneath HIPAA? Or what regulations do you fall under? And also what is required by law for backup and recovery, storage, and acceptable levels of service. Are there any laws regarding confidentiality or service availability or privacy? Are there any corporate governance requirements? There's probably going to be something for most businesses. Certainly if you're financial or if your health, you'refor sure going to have lots of these. Also, business continuity and disaster recovery plan review and testing I want to see if there are any legislative requirements for those as well. Here are some governance standards in the US. You are not required to memorise them, but you should know in general what they do. So here's Sarbanes Oxley, also known as Sarbox or Sox. And the bottom line of this is that top management is now personally responsible for the accuracy of financial information, and there are severe penalties for fraudulent financial activity. Then there's HIPAA. The Health Insurance Portability and Accountability Act This guarantees that individuals' health information is properly protected. If you've been to a drugstore or a pharmacy recently, you've probably seen HIPAA in action, where they have you stand back from the customer being helped so that their privacy is protected, or if you've had to sign a logbook. And here's where we assure that individual health information is properly protected, all the while still allowing the flow of information that's needed to provide and promote high-quality health care and protect the public's health as well as individual health. Then there's something called GLBA. Graham Leach Briley act. This is basically allows now commercial banks, investmentbanks, security firms, insurance companies, they're actually nowallowed to consolidate and it's no longer considereda monopoly in some cases. Here's. FISMA and FISMA It recognises the importance of information security to the economic and national security interests of the United States. And it basically states that all federal agencies must develop and implement an IS security plan, also known as an information security plan. Here's something called the COSO Committee of Sponsoring Organizations of the Treadway Commission. It is basically five private sector organizations, and they established a common internal control model for companies and organisations to assess their own control systems. Here is the NIST SP 800 series: And this is just a way of formalising the publication of documents that are of interest to the computer security community. And so they started this so that there would be an actual separate identity for publications, specifically NIST publications for IT security. They also report on their own lab, the information technology lab, the lab's research, the guidelines, and outreach efforts to collaborate with industry, government, and academic organizations. So when you are evaluating its policies, standards, and procedures for compliance, you need to know what standards and regulations actually apply to this business. You need to know that. You need to review each policy to determine if it supports the standards and the business objectives. You need to determine if the policies that apply to third parties, outsources, and vendors are also in compliance with the enterprise policies. You need to document and report which policies don't comply with the enterprise objectives, and you need to review IT procedures to make sure they fulfil all the necessary control objectives and approach and support all of the relevant IT policies.

4. IT Strategy

Let's now talk about its strategy. We know that the strategy for the IT department has got to align with business goals and objectives. And so we need to make sure, as a team, that it does indeed need to align with the business goals. And the strategy also has to say, "How will this thing—we bought this technology—actually support the business strategy?" We're not going to buy new technology just because it's cool. We're going to buy it because it will support a business objective. And how cost-effective is it for us to implement this as opposed to something else? Also, where do we go to acquire the resources we need—what personnel do we need, what vendors do we need, what bids do we need to acquire whatever we want? And always, always, is IT aligning with the business strategy? Clearly, we have strategic planning. And as an IS auditor, I want to see that they are doing strategic planning, and I want to make sure that they have the planning, because organisations will do the planning to determine how to improve their business processes. Can we always improve our process when you achieve what you want? And we have the planning necessary to develop short- and long-term strategic plans. and you don't develop it with just one person. You have a large number of people—a large number of stakeholders—involved in strategic planning. And if you want your IT department to support your strategic plans, give them a voice. Make sure they understand that you may not necessarily act on all recommendations because of a higher need, a budget limit, or something else, or because there is a strategic direction. But give them a voice and let representatives from different departments help contribute input, and then they can then be advocates for the strategic plan back in their own departments. So what are the focus areas for our strategic plan? What's the demand? Do we need it? Let's assess it, and how good is it? And then let's plan for it. Now that your strategy committee is formed, you can have it linked to the board of directors. It's going to be focused on advising the board on strategy options, risk, value, and performance factors. The board is going to depend on you, the folks on the ground, to know what it is you're talking about. And so this strategy committee is going to make recommendations based on their discoveries and what they know. It will also have a steering committee. And these are senior management, personnel management, and departments. And the whole idea with the steering committee is that we're overseeing all the activities under the overall direction of the whole function in the organization. And we're making sure that we stay in alignment with the business objectives, the corporate mission, and the objectives of the company. The IT steering committee has common functions. We can see these. So we perform reviews of the long and short-term objectives. We review all the hardware and software acquisitions. We monitor all the major projects. We establish the strategies for outsourcing,we review and monitor resource allocation,and we make responsibility assignments. So you're responsible for this, and you're responsible for that. We provide support for the IS management plan and we report all IS activities. So that's the steering committee. So as an auditor, I expect to see: is there a functioning IT Steering Committee? Of course, this is a small organisation in a large organization. It might be considerably condensed. You might not have that sort of breakout. But a lot of this ISAACASISA auditing is aimed at larger organisations that need large amounts of auditing. In an enterprise architecture, we need to havethe enterprise architecture is this framework that helpsus design, plan and implement and track theIt assets and of course, align the investmentswith the business strategy as It. If we're going to buy a bunch of servers, does it support the business strategy? So, like my example, when we were working in Africa, we didn't buy expensive stuff because the business strategy was that we knew the reality of the environment. And so we understood that there would have to be a turnover of equipment just because of the harshness of the environment and the conditions. the enterprise approach. So the technology approach focuses on the IT assets, and the business process approach focuses on specific processes that are used to run a business. So when you're evaluating the IT strategy, you want to make sure that the strategic plan includes a process and planning framework to develop the plan. You want to review the plan. You want to update it on a regular schedule. You want to review the communication plan and review the monitoring and evaluation requirements for the plan. You want to make sure that the proper individuals were involved in creating the plan. So we want to make sure that the steering committee, the strategy committee, and senior IT management are all involved. We want to verify that the plan fully supports the overall business strategy and that the strategic plan matches what is currently being done throughout the organisation as well.

5. Organizational Compliance

Let's continue our conversation. Let's talk about organisational compliance. Now, taking a look over here, we're looking at how compliant the organisation is with policy standards and procedures. And there are some process improvement models that can also be considered as well. These maturity and process improvement models are designed to help organisations grow business while improving their processes. So one started out called the Capability Maturity Model, and it was basically a way of formalising what a company's ability to develop software was: their processes. And so a government could determine what their maturity model was for determining whether or not they wanted to have this company as a vendor to develop software for the government. And so it was a tool for objectively assessing processes for developing contracted software projects. It was replaced a little bit later by something called CMMI, or Capability Maturity Model Integration. And it sorted out the problem that if you have multiple models, it becomes really cumbersome for software development processes. So now CM is more of a theoretical model and has been superseded by CMMI. Again, you don't need to memorise these, but you need to know in general that they exist and what they are. There's also this idea called ISO 15504, also known as the Software Process Improvement and Capability Determination or Spice. And these are technical standard documents for computer software development processes and related business management functions. So when you're ensuring organisational compliance, you want to look at the compliance framework that they're using, and you might even look at their maturity model. You will want to observe and interview personnel and survey information system functions to determine if standards, policies, and procedures are being followed and evaluate control systems in place to ensure that they are effective.

Go to testing centre with ease on our mind when you use Isaca CISA vce exam dumps, practice test questions and answers. Isaca CISA Certified Information Systems Auditor certification practice test questions and answers, study guide, exam dumps and video training course in vce format to help you study with ease. Prepare with confidence and study using Isaca CISA exam dumps & practice test questions and answers vce from ExamCollection.