CISA Ch 2 - Governance and Management of IT
Benchmarking
A process of continuously measuring system results, comparing those results to optimal system performance (industry standards or best practices), and identifying steps and procedures to improve system performance
Request for proposal
A document specifying all the system requirements and soliciting a proposal from each vendor contacted
Ways to use performance measures
1. Measure products/services 2. Manage products/services 3. Ensure accountability 4. Make budget decisions 5. Optimize performance
IT Governance Focus Areas
1. Strategic Alignment 2. Value Delivery 3. Risk Management 4. Resource Management 5. Performance Management
IT Strategy Committee
As a committee of the board, it assists the board in overseeing the enterprise's IT-related matters by ensuring that the board has the internal and external information it requires for effective IT governance decision making.
Exception reporting
Identifying data that is not within "normal limits" so that managers can follow up and take corrective action; should require evidence, such as initials on a report, noting that the exception has been handled properly
Business continuity plan
Provides procedures for emergency responses, extended backup operations, and post-disaster recovery
Data Entry
The process of getting information into a database, usually done by people typing it in by way of data-entry forms designed to simplify the proces
Key performance indicators
The quantifiable metrics a company uses to evaluate progress toward critical success factors
Federal Enterprise Architecture (FEA)
a business and performance based framework to support cross-agency collaboration, transformation and government-wide improvement
IT Steering Committee
a committee, comprised of a group of managers and staff representing various organizational units, set up to establish IT priorities and to ensure that the MIS function is meeting the needs of the enterprise
Disaster recovery plan
a detailed process for recovering information or an IT system in the event of a catastrophic disaster such as a fire or flood
Business continuity policy
a document approved by top management that defines the extent and scope of the business continuity effort within the organization
Service Level Agreement (SLA)
a document that provides a company with a performance guarantee for services outsourced to a vendor
Crisis
a major incident that can have serious material impact on the continued functioning of the business and may also adversely impact other systems or third parties
Zachman Framework for Enterprise Architecture
a model framework that is a starting point for many contemporary EA projects the helps move IT projects from abstract to physical using models and representations with progressively greater levels of detail
Desk-based evaluation/paper test
a paper walk-through of the BCP, involving major players in the plan's execution who reason out what might happen in a particular type of service disruption
IT Balanced Scorecard (BSC)
a process management evaluation technique that can be applied to the IT governance process in assessing the IT functions and processes; supplements traditional financial evaluation with measures concerning user satisfaction, internal processes and the ability to innovate
Restoration plan
a process to return operations to normality whether in a restored or new facility
Transaction logs
a record of transactions (can be logged manually or automatically)
IT Governance
a structure of relationships and processes used to direct and control the enterprise toward achievement of its goals by adding value while balancing risk vs. return over IT and its processes
Pandemic
an epidemic or outbreak of infectious diseases in humans that have the ability to spread rapidly over large areas
Threat
any circumstance or event with the potential to cause harm (such as destruction, disclosure, modification of data and/or denial of service) to an information resource
Incident
any unexpected event, even if it causes no significant damage
Segregation of Diteis
avoids the possibility that a single person could be responsible for diverse and critical functions in such a way that errors or misappropriations could occur and not be detected in a timely manner an in the normal course of business processes
Vulterabilities
characteristics of information resources that can be exploited by a threat to cause harm
Outsourcing
contractual agreements under which an organization hands over control of part or all of the functions of the IS department to an external party
Recovery cost
cost of activating the business continuity plan (alternative corrective measures), which decreases with the target chosen for recovery time
Downtime cost
costs incurred during the period after a disaster in which the business is not functioning; cost grows quickly with time, where the impact of a disruption increases the longer it lasts
Database Administrator (DBA)
custodian of an organization's data; defines and maintains the data structures in the corporate database system
Duties that should be segregated
custody of the assets, authorization, recording transactions
Impact
the result of a threat agent exploiting a vulnerability
Procedures
detailed steps defined and documented for implementing policies
Risk ranking
determination of risk based upon the impact derived from the critical recovery time period, as well as the likelihood that an adverse disruption will occur (critical, vital, sensitive, nonsensitive)
Disasters
disruptions that cause critical information resources to be inoperative for a period of time, adversely impacting organizational operations
Value Delivery
executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT
SOC 1 Report
focus solely on controls at a service organization that are likely to be relevant to an audit of a user entity's financial statements
Strategic Alignment
focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations
Information Security Governance
governance focused on specific value drivers: confidentiality, integrity, and availability of information, continuity of services and protection of information assets
IT Portfolio Management
has an explicitly directive, strategic goal in determining what the enterprise will continue to invest in vs. what the enterprise will divest
Audit trails
help the IS and user departments as well as the IS auditor by providing a map to retrace the flow of a transaction; recreates the actual transaction flow from the point of origination to its existence on an updated file
Quality Assurance (QA)
helps the IS department to ensure that personnel are following prescribed quality processes
Policy
high-level document that represents the corporate philosophy of an organization
Risk analysis calculation
how risk is calculated; uses either qualitative or quantitative means
Negligible incident
incident that causes no perceptible or significant damage
Major incidents
incidents that cause a negative material impact on business processes and may affect other systems, departments or even outside clients
Minor incidents
incidents that, while not negligible, produce no negative material (of relative importance) or financial impact
Reconciliation
independent verification typically performed by the user that increases the level of confidence that the application processed successfully and the data are in proper balance
Process Integration
integration of an organization's management assurance processes for security
Compensating controls
internal controls that are intended to reduce the risk of an existing or potential control weakness when duties cannot be appropriately segregated
Enterprise Architecture (EA)
involves documenting an organization's IT assets in a structured manner to facilitate understanding, management and planning for IT investments; involves both a current state and an optimized state
Change Management
involves the use of a defined and documented process to identify and apply technology improvements at the infrastructure and application level that are beneficial to the organization and involve all levels of the organization impacted by the changes
Preparedness test
localized version of a full BCP test, wherein actual resources are expanded in the simulation of a system crash
Strategic Planning
long-term direction an enterprise wants to take in leveraging information technology for improving its business processes
Semi-quantitative Analysis
method that uses descriptive rankings that are associated with a numeric scale to describe the impact or likelihood of risk
Quantitative Analysis
method that uses numeric values to describe the likelihood and impact of risk, using data from several types of sources such as historic records, past experiences, industry practices and records, statistical theories, testing, and experiments (usually monetary terms)
Qualitative Analysis
method that uses words or descriptive rankings to describe in the impact or likelihood of risk (high, medium, low)
Cloud Computing
model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction
Quality Management
one of the means by which IT department-based processes are controlled, measured and improved; may include: software development/maintenance/implementation, acquisition of hardware or software, day-to-day operations, service management, security, HR management, general administration
Full operational test
one step away from an actual service disruption; a full test of the BCP
Human Resource Management
organizational policies and procedures for recruiting, selecting, training and promoting staff, measuring staff performance, disciplining staff, succession planning, and staff retention
Data manager
responsible for the data architecture in larger IT environments and tasked with managing data as a corporate asset
Security Policy
policy that communicates a coherent security standard to users, management and technical staff
Access Control Policy
policy that describes the method for defining and granting access to users to various IT resources
End-user Computing Policy
policy that describes the parameters and usage of desktop, mobile computing and other tools by users
Acceptable Use Policy
policy that includes information for all information resources and describes the organizational permissions for the usage of IT and information-related resources
High-level Information Security Policy
policy that includes statements on confidentiality, integrity, and availability
Data Classification Policy
policy that should describe the classifications, levels of control at each classification and responsibilities of all potential users including ownership
IS Management
practices that reflect the implementation of policies and procedures developed for various IS-related management activities
Statement on Standards for Attestation Engagements (SSAE 16)
provides a framework for three Service Organization Control (SOC) reporting options
End-user support manager
responsible as a liaison between the IS department and the end users
Operations manager
responsible for computer operations personnel, including all staff required to run the data center efficiently and effectively
Quality Control (QC)
responsible for conducting tests or reviews to verify and ensure that software is free from defects and meets user expectations
Applications staff
responsible for developing and maintaining applications; should work in a test-only environment
Security Administrator
responsible for ensuring that the various users are complying with the corporate security policy and controls are adequate to prevent unauthorized access to the company assets
Security architect
responsible for evaluating security technologies; design security aspects of the network topology, access control identity management and other security systems; and establish security policies and security requirements
Network administrator
responsible for key components of the infrastructure (routers, switches, firewalls, network segmentation, performance management, remote access, etc.); report to the director of the IPF or an end-user manager
Systems administrator
responsible for maintaining major multi-user computer systems, including LANs, WLANs, WANs, PANs, SANs, intranets and extranets, and mid-range and mainframe systems
Infrastructure staff
responsible for maintaining the systems software, including the operating system
Quality Assurance (QA) manager
responsible for negotiating and facilitating quality activities in all areas of information technology
End user
responsible for operations related to business application services; used to distinguish the person for whom the product was designed from the person who programs, services, or installs applications
Project manager
responsible for planning and executing IT projects and may report to a project management officer or to the development organization
Systems development manager
responsible for programmers and analysts who implement new systems and maintain existing systems
Media manager
responsible for recording, issuing, receiving, and safeguarding all program and data files that are maintained on removable media
Control group
responsible for the collection, conversion and control of input, and the balancing and distribution of output to the user communicty
Systems analyst
specialist who designs systems based on the needs of the user and are usually involved during the initial phase of the system development life cycle
IS business continuity planning
specifies how to resume business processes specifically related to IS in the face of a disruptive event; should be aligned with the strategy of the organization
Business continuity
the ability of an organization to maintain its operations and services in the face of a disruptive event
Business Impact Analysis (BIA)
the activity in Business Continuity Management that identifies vital business functions and their dependencies; allows the organization to determine the maximum downtime possible and to quantify losses as they grow after a disruption, thus allowing the organization to make a decision on the technology used for protection and recovery of its key information assets
Governance of Enterprise IT (GEIT)
the body of issues addressed in considering how IT is applied within the enterprise
Resource Management
the optimal investment it, and the proper management of, critical IT resources: applications, information, infrastructure and people
Risk Management
the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization
Residual Risk
the remaining level of risk once controls have been applied; can be used by management to further reduce risk by identifying those areas in which more control is needed
Governance of Outsourcing
the set of responsibilities, roles, objectives, interfaces and controls required to anticipate change and manage the introduction, maintenance, performance, costs and control of third-party provided services
Corporate Governance
the system by which business corporations are directed and controlled; a set of responsibilities and practices used by an organization's management to provide strategic direction, thereby ensuring that goals are achievable, risks are properly addressed and organizational resources are properly utilized
Sourcing
the way in which the organization will obtain the IS functions required to support the business (in-house, outsource)
Performance Management
tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery
IT disaster recovery plan
typically details the process IT personnel will use to restore the computer systems
Service desk (help desk)
unit within an organization that responds to technical questions and problems faced by users