CISA Ch 2 - Governance and Management of IT

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Benchmarking

A process of continuously measuring system results, comparing those results to optimal system performance (industry standards or best practices), and identifying steps and procedures to improve system performance

Request for proposal

A document specifying all the system requirements and soliciting a proposal from each vendor contacted

Ways to use performance measures

1. Measure products/services 2. Manage products/services 3. Ensure accountability 4. Make budget decisions 5. Optimize performance

IT Governance Focus Areas

1. Strategic Alignment 2. Value Delivery 3. Risk Management 4. Resource Management 5. Performance Management

IT Strategy Committee

As a committee of the board, it assists the board in overseeing the enterprise's IT-related matters by ensuring that the board has the internal and external information it requires for effective IT governance decision making.

Exception reporting

Identifying data that is not within "normal limits" so that managers can follow up and take corrective action; should require evidence, such as initials on a report, noting that the exception has been handled properly

Business continuity plan

Provides procedures for emergency responses, extended backup operations, and post-disaster recovery

Data Entry

The process of getting information into a database, usually done by people typing it in by way of data-entry forms designed to simplify the proces

Key performance indicators

The quantifiable metrics a company uses to evaluate progress toward critical success factors

Federal Enterprise Architecture (FEA)

a business and performance based framework to support cross-agency collaboration, transformation and government-wide improvement

IT Steering Committee

a committee, comprised of a group of managers and staff representing various organizational units, set up to establish IT priorities and to ensure that the MIS function is meeting the needs of the enterprise

Disaster recovery plan

a detailed process for recovering information or an IT system in the event of a catastrophic disaster such as a fire or flood

Business continuity policy

a document approved by top management that defines the extent and scope of the business continuity effort within the organization

Service Level Agreement (SLA)

a document that provides a company with a performance guarantee for services outsourced to a vendor

Crisis

a major incident that can have serious material impact on the continued functioning of the business and may also adversely impact other systems or third parties

Zachman Framework for Enterprise Architecture

a model framework that is a starting point for many contemporary EA projects the helps move IT projects from abstract to physical using models and representations with progressively greater levels of detail

Desk-based evaluation/paper test

a paper walk-through of the BCP, involving major players in the plan's execution who reason out what might happen in a particular type of service disruption

IT Balanced Scorecard (BSC)

a process management evaluation technique that can be applied to the IT governance process in assessing the IT functions and processes; supplements traditional financial evaluation with measures concerning user satisfaction, internal processes and the ability to innovate

Restoration plan

a process to return operations to normality whether in a restored or new facility

Transaction logs

a record of transactions (can be logged manually or automatically)

IT Governance

a structure of relationships and processes used to direct and control the enterprise toward achievement of its goals by adding value while balancing risk vs. return over IT and its processes

Pandemic

an epidemic or outbreak of infectious diseases in humans that have the ability to spread rapidly over large areas

Threat

any circumstance or event with the potential to cause harm (such as destruction, disclosure, modification of data and/or denial of service) to an information resource

Incident

any unexpected event, even if it causes no significant damage

Segregation of Diteis

avoids the possibility that a single person could be responsible for diverse and critical functions in such a way that errors or misappropriations could occur and not be detected in a timely manner an in the normal course of business processes

Vulterabilities

characteristics of information resources that can be exploited by a threat to cause harm

Outsourcing

contractual agreements under which an organization hands over control of part or all of the functions of the IS department to an external party

Recovery cost

cost of activating the business continuity plan (alternative corrective measures), which decreases with the target chosen for recovery time

Downtime cost

costs incurred during the period after a disaster in which the business is not functioning; cost grows quickly with time, where the impact of a disruption increases the longer it lasts

Database Administrator (DBA)

custodian of an organization's data; defines and maintains the data structures in the corporate database system

Duties that should be segregated

custody of the assets, authorization, recording transactions

Impact

the result of a threat agent exploiting a vulnerability

Procedures

detailed steps defined and documented for implementing policies

Risk ranking

determination of risk based upon the impact derived from the critical recovery time period, as well as the likelihood that an adverse disruption will occur (critical, vital, sensitive, nonsensitive)

Disasters

disruptions that cause critical information resources to be inoperative for a period of time, adversely impacting organizational operations

Value Delivery

executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT

SOC 1 Report

focus solely on controls at a service organization that are likely to be relevant to an audit of a user entity's financial statements

Strategic Alignment

focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations

Information Security Governance

governance focused on specific value drivers: confidentiality, integrity, and availability of information, continuity of services and protection of information assets

IT Portfolio Management

has an explicitly directive, strategic goal in determining what the enterprise will continue to invest in vs. what the enterprise will divest

Audit trails

help the IS and user departments as well as the IS auditor by providing a map to retrace the flow of a transaction; recreates the actual transaction flow from the point of origination to its existence on an updated file

Quality Assurance (QA)

helps the IS department to ensure that personnel are following prescribed quality processes

Policy

high-level document that represents the corporate philosophy of an organization

Risk analysis calculation

how risk is calculated; uses either qualitative or quantitative means

Negligible incident

incident that causes no perceptible or significant damage

Major incidents

incidents that cause a negative material impact on business processes and may affect other systems, departments or even outside clients

Minor incidents

incidents that, while not negligible, produce no negative material (of relative importance) or financial impact

Reconciliation

independent verification typically performed by the user that increases the level of confidence that the application processed successfully and the data are in proper balance

Process Integration

integration of an organization's management assurance processes for security

Compensating controls

internal controls that are intended to reduce the risk of an existing or potential control weakness when duties cannot be appropriately segregated

Enterprise Architecture (EA)

involves documenting an organization's IT assets in a structured manner to facilitate understanding, management and planning for IT investments; involves both a current state and an optimized state

Change Management

involves the use of a defined and documented process to identify and apply technology improvements at the infrastructure and application level that are beneficial to the organization and involve all levels of the organization impacted by the changes

Preparedness test

localized version of a full BCP test, wherein actual resources are expanded in the simulation of a system crash

Strategic Planning

long-term direction an enterprise wants to take in leveraging information technology for improving its business processes

Semi-quantitative Analysis

method that uses descriptive rankings that are associated with a numeric scale to describe the impact or likelihood of risk

Quantitative Analysis

method that uses numeric values to describe the likelihood and impact of risk, using data from several types of sources such as historic records, past experiences, industry practices and records, statistical theories, testing, and experiments (usually monetary terms)

Qualitative Analysis

method that uses words or descriptive rankings to describe in the impact or likelihood of risk (high, medium, low)

Cloud Computing

model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction

Quality Management

one of the means by which IT department-based processes are controlled, measured and improved; may include: software development/maintenance/implementation, acquisition of hardware or software, day-to-day operations, service management, security, HR management, general administration

Full operational test

one step away from an actual service disruption; a full test of the BCP

Human Resource Management

organizational policies and procedures for recruiting, selecting, training and promoting staff, measuring staff performance, disciplining staff, succession planning, and staff retention

Data manager

responsible for the data architecture in larger IT environments and tasked with managing data as a corporate asset

Security Policy

policy that communicates a coherent security standard to users, management and technical staff

Access Control Policy

policy that describes the method for defining and granting access to users to various IT resources

End-user Computing Policy

policy that describes the parameters and usage of desktop, mobile computing and other tools by users

Acceptable Use Policy

policy that includes information for all information resources and describes the organizational permissions for the usage of IT and information-related resources

High-level Information Security Policy

policy that includes statements on confidentiality, integrity, and availability

Data Classification Policy

policy that should describe the classifications, levels of control at each classification and responsibilities of all potential users including ownership

IS Management

practices that reflect the implementation of policies and procedures developed for various IS-related management activities

Statement on Standards for Attestation Engagements (SSAE 16)

provides a framework for three Service Organization Control (SOC) reporting options

End-user support manager

responsible as a liaison between the IS department and the end users

Operations manager

responsible for computer operations personnel, including all staff required to run the data center efficiently and effectively

Quality Control (QC)

responsible for conducting tests or reviews to verify and ensure that software is free from defects and meets user expectations

Applications staff

responsible for developing and maintaining applications; should work in a test-only environment

Security Administrator

responsible for ensuring that the various users are complying with the corporate security policy and controls are adequate to prevent unauthorized access to the company assets

Security architect

responsible for evaluating security technologies; design security aspects of the network topology, access control identity management and other security systems; and establish security policies and security requirements

Network administrator

responsible for key components of the infrastructure (routers, switches, firewalls, network segmentation, performance management, remote access, etc.); report to the director of the IPF or an end-user manager

Systems administrator

responsible for maintaining major multi-user computer systems, including LANs, WLANs, WANs, PANs, SANs, intranets and extranets, and mid-range and mainframe systems

Infrastructure staff

responsible for maintaining the systems software, including the operating system

Quality Assurance (QA) manager

responsible for negotiating and facilitating quality activities in all areas of information technology

End user

responsible for operations related to business application services; used to distinguish the person for whom the product was designed from the person who programs, services, or installs applications

Project manager

responsible for planning and executing IT projects and may report to a project management officer or to the development organization

Systems development manager

responsible for programmers and analysts who implement new systems and maintain existing systems

Media manager

responsible for recording, issuing, receiving, and safeguarding all program and data files that are maintained on removable media

Control group

responsible for the collection, conversion and control of input, and the balancing and distribution of output to the user communicty

Systems analyst

specialist who designs systems based on the needs of the user and are usually involved during the initial phase of the system development life cycle

IS business continuity planning

specifies how to resume business processes specifically related to IS in the face of a disruptive event; should be aligned with the strategy of the organization

Business continuity

the ability of an organization to maintain its operations and services in the face of a disruptive event

Business Impact Analysis (BIA)

the activity in Business Continuity Management that identifies vital business functions and their dependencies; allows the organization to determine the maximum downtime possible and to quantify losses as they grow after a disruption, thus allowing the organization to make a decision on the technology used for protection and recovery of its key information assets

Governance of Enterprise IT (GEIT)

the body of issues addressed in considering how IT is applied within the enterprise

Resource Management

the optimal investment it, and the proper management of, critical IT resources: applications, information, infrastructure and people

Risk Management

the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization

Residual Risk

the remaining level of risk once controls have been applied; can be used by management to further reduce risk by identifying those areas in which more control is needed

Governance of Outsourcing

the set of responsibilities, roles, objectives, interfaces and controls required to anticipate change and manage the introduction, maintenance, performance, costs and control of third-party provided services

Corporate Governance

the system by which business corporations are directed and controlled; a set of responsibilities and practices used by an organization's management to provide strategic direction, thereby ensuring that goals are achievable, risks are properly addressed and organizational resources are properly utilized

Sourcing

the way in which the organization will obtain the IS functions required to support the business (in-house, outsource)

Performance Management

tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery

IT disaster recovery plan

typically details the process IT personnel will use to restore the computer systems

Service desk (help desk)

unit within an organization that responds to technical questions and problems faced by users


Kaugnay na mga set ng pag-aaral

gero final questions (12, 21-25)

View Set

Chapter 13 Ethical, Servant, Spiritual, and Authentic Leadership

View Set

7. Analyzing Ethernet LAN Switching

View Set

ATI Real Life 4.0 RN Maternal Newborn Preclampsia

View Set

BUS 125 Business Math Chapter 11 Quiz

View Set

Fundamentals of Personnel Recovery (PR 102)

View Set

Religion - What is the Incarnation?

View Set

Multiplication Set 15 (9x7, 9x8, 9x9, 9x10)

View Set