Time
2 hours 3 minutes
Difficulty
Advanced
CEU/CPE
5

Video Description

This lesson covers Domain 2; IT Governance. This lessons discusses the following task statements: 1. Evaluating the effectiveness of IT Governance 2. Evaluating the IT organizational structure 3. Evaluating the IT strategy 4. Evaluating IT policies within the organization 5. Evaluating the adequacy of the quality management system 6. Evaluating IT Management and monitor of controls 7. Evaluating IT resource investment 8. Evaluating IT contracting strategies 9. Evaluating risk management practices 10. Evaluating monitoring and assurance practices 11. Evaluating the businesses continuity plan This lesson also discusses the following knowledge statements: 1. Knowledge of IT governance and management 2. Knowledge of the purpose of IT strategy 3. Knowledge of organizational structure and roles and how it relates to IT 4. Knowledge of the process for the development of IT strategies 5. Knowledge of the organizations technological direction 6. Knowledge of relevant laws 7. Knowledge of quality management systems 8. Knowledge in using maturity models 9. Knowledge of Process optimization techniques 10. Knowledge of IT resource investment 11. Knowledge of IT supplier selection 12. Knowledge of enterprise risk management 13. Knowledge of practices for reporting IT performance 14. Knowledge of IT human resource (HR) management 15. Knowledge of Business Impact Analysis (BIA) 16. Knowledge of procedures for continuity in business [toggle_content title="Transcript"] Hello. Welcome to domain number two in the preparation for your CISA exam. In this domain we'll be talking about IT governance. This comprises approximately 14% of the exam, just like domain number one did. So, very similar in the amount of content here. What do we mean when we talk about governance? Basically it's a way of describing the concept of having the appropriate level of authority and control over what an organization does. How it does it, who does it, what authority other people have, and being able to measure these things in order to understand whether the governance philosophy or governance policies are actually being used effectively. It also relates to our leadership because you can't govern something if you're not in a leadership position. This stands to reason. So we have several task statements for domain number two. We start with the first one; evaluating the effectiveness of the governance structure. So we're talking about decisions and directions: trying to understand some performance indicators. Then number two; you are looking at the IT organizational structure, as it relates to human resources or personnel. whether or not management is properly supporting HR's objectives to support the business objectives. And then we have number three, the IT strategy. There's a lot that goes into the strategy for IT. We'll get into some lower level detail about that, but knowing what direction IT is heading in, understanding its requirements for funding and for staffing are important considerations. Also, the IT strategy must also be compared with the objectives of the business. Trying to make sure there's alignment there. It doesn't make sense to spend money on IT if it doesn't help improve the businesses performance or its bottom line. Then we have number four where we evaluate the policies, standards, procedures and guidelines that we talked about in the previous section. Those are important considerations for any organization to make sure that they have the relevant documentation, that it was produced correctly, that it's being enforced, that there's consequences, when there are violations and so on. Number five, we're looking at the quality management system. Making sure that the organization has some way of detecting whether it's doing a good job. Whether its products or services are up to the standard that the manager of the organization has decided upon. Second set of task statements here - We have the IT management and monitoring of controls. That's a huge topic all unto itself. If we don't have effective security controls within our environment, then there are inevitably going to be problems with information leakage, hacking incidents, and so on. We also can't overlook the need to monitor those controls to know that they're working effectively, and trying to understand whether a control is doing its job correctly or if it's failing and therefore we have some work to do. Moving on to number seven, looking at the resources that are invested in IT. It doesn't make sense, as I was just mentioning a minute ago, to spend a lot of money on initiatives or hardware, software, licenses, training and so on, if it's not going to contribute to the success of the organization. So that needs to be understood at a pretty low level. For number eight we're looking at contracting strategies. As far as where it makes sense to use external resources; contractors, consultants and so on. We'll talk a little bit about some of the pros and cons of doing things like outsourcing. Then we go to number nine: risk management. This is something that is an ongoing effort throughout the entire life-cycle of an organization. Or you could say it's an ongoing effort throughout the life-cycle of a particular system. The scale is variable. But the basic idea is that you want to always be measuring your current security posture so that you can understand whether your current level of risk is acceptable. Or if it's not acceptable. If it's not acceptable then you have to decide what to do when those situations arise. Then we have number ten where we're evaluating the monitoring and assurance processes within the organization. That kind of leads back to the security controls. Or, as I mentioned in an earlier section, it's difficult to manage something if we can't measure it. So monitoring controls, monitoring the processes regarding things like change control change management, making changes to your network infrastructure, all these things need to be carefully observed and managed so that you can understand their impact on the organization as a whole. Then we have number eleven: things like business continuity and disaster recovery plans need to be well understood. How does the business continue to operate if it suffers from some kind of calamity? Whether it's an adversarial event or non-adversarial event such as an earthquake or a blizzard? These are all things that need to have some level of planning understood from the beginning and also verified as a part of a DRP or BCP in order to keep the organization running when problems happen. Alright, moving on to our knowledge statements. We've got a few of these to talk about. Having some knowledge of the IT governance structure. How does the management interface with your security overlays and your security infrastructure to keep the organization and its assets safe from theft, safe from tampering, resistant to hacking, and so on? Then we have to know the purpose of our IT strategy. That will dovetail in with why we create IT policies to begin with; security policies. Acceptable use policies. These are all things that impact the organization to some level, especially if they're being correctly enforced. Then we have to remember that there's some knowledge required of the organizational structure. We talked about that in the last module a little bit. Having a good ORG chart, knowing who reports to whom, who has the appropriate level of authority to make decisions, and so on, is what we're getting at here. Then we have a natural progression from knowledge of these roles into what happens when the policies are determined to be insufficient, or there's a need for a new policy? How do we deal with this? Who's responsible for deciding what steps to take when a policy is deemed to be insufficient or there's some new requirement because of a merger or an acquisition or some new initiative or new business line? New policies may need to be created to address some concerns regarding this potential additional risk. Then number five: what is the direction of the IT architecture or infrastructure? This could be something as simple as maintaining what you currently have in your organization with some plans down the road for expansion. Or maybe your organization is growing very rapidly and you need to effectively deal with adding more servers, more personnel, expanding your security infrastructure to accommodate new goals. So that's an important link there between what the organization does and how you would help it grow. So, second set here. Number 6, we cannot stress enough that it's important to understand laws and regulations regarding the organization's activities. Mainly this is done to make sure that the organization stays within the law - Whether it relates to lower level employees or middle managers, or executives at the C-level. Some expectation is there to understand what the laws are and what constitutes unlawful behavior. It's always to be avoided by the auditor and everyone else to not break the laws as to provide opportunities for the organization to suffer civil damages or regulatory penalties, and so on. So we want to be real careful in these areas. Number 7: knowledge of quality management systems. How do you decide which system to use to determine whether or not the quality of your products and services is up to the level that's required? There's a lot of thought and effort that might go into this, using maturity models. We'll talk about this, like how do you decide whether your organization is at a beginning stage and when it might mature into a stage where you're measuring your performance and monitoring it, all the way up to the point where you're optimizing that? We'll look at some of those models a little bit later in this chapter. We also have to think about optimizing our processes. This relates back to a maturity model concept as well, because once you've reached the highest level of maturity now you're optimizing. We'll talk about why that's important. Number 10: knowledge of our IT resource and investment practices. So that sort of relates back to some of the task statements that we talked about for domain number two. The idea is that there's a connection between the resources allocated to buy IT resources; like servers, other hardware, software, licenses, paying for staff paying for training. All these things are connected at some point to the performance of the business and ultimately the bottom line profits. One more set of knowledge statements here. Number 11 deals with how we choose suppliers and how we deal with contracts. This may not be an area of expertise for a typical auditor, but they've got to be able to understand it to some level , to know where their competencies lie and be able to pull in other people as needed; other subject matter experts, perhaps, to assist when questions of dealing with third-parties arise. Risk management shows up again, as it relates to the entire enterprise. This is a bigger picture view of risk management. Of course, the people at the top tier within the organization are most concerned with the decisions that relate to the management of risk for the organization as a whole. Number 13: we have ideas like balanced scorecards or KPIs: key performance indicators. We'll talk about what that means a little bit later in this module. This is basically the idea, again: measuring something so you can manage it. Knowing what needs to be measured and what do the numbers really mean once you're doing this? Then we have number 14: our HR. There's a lot of different considerations for dealing with human resources. How do you properly vet people? Do you need to do background checks? What happens when someone misbehaves? What do you do when someone leaves the company voluntarily? What happens when someone gets fired? These are all things that need to be understood so that you don't have any gaps in your dealing with those details. Then we have business impact analysis: BIA. This is an important concept to think about when major changes are being considered, or when some major events have occurred and you're trying o understand how that will impact the organization overall. The last one is standards and procedures for doing your BCP and DRP activities. So there are various best practices to follow for business continuity and disaster recovery. So some level of understanding needs to be in-place in order to not only make sure that the documentation exists but that it's being actually tested and reviewed on a regular basis. [/toggle_content]

Video Transcription

00:04
Hello. Welcome to domain number two.
00:07
In the preparation for your C I s exam, this domain will be talking about I t governance. This comprises approximately 14% of the exam. Just like domain number one did
00:18
so very similar in and the amount of content here.
00:22
And what do we mean when we talk about governance?
00:25
Basically, it's a way of describing
00:29
the concept of
00:31
having the appropriate level of authority and control over what the organization does,
00:36
how it does it, who does it,
00:38
what authority other people have
00:40
and being able to be able to measure these things in order to understand whether the governance
00:48
philosophy, your governance policies are actually being
00:51
used effectively.
00:54
So it also relates to our leadership
00:58
because you can't govern something. If you're not a leadership position, it stands to reason. So we have several tasks. Statements for divine, the main number two.
01:07
We start with the 1st 1 We're evaluating the effectiveness of the governance structure.
01:12
So we're we're talking about decisions and directions,
01:15
trying to understand some performance indicators.
01:19
The number two we're looking at the sea I t organizational structure
01:26
as it relates to a human person, human resource is our personnel.
01:30
Whether or not management is
01:34
properly supporting a char's objectives to support the business
01:38
objectives,
01:40
then we have number three,
01:42
the I T strategy.
01:44
There's a lot that goes into the strategy, for I will get into some,
01:48
uh, lower level detail about that.
01:51
But knowing what direction I ke is hiding in understanding its requirements for funding and for staffing
01:57
are important considerations.
02:00
Also,
02:00
Archie strategy
02:02
must
02:04
also be compared with
02:07
the objectives of the business, trying to make sure there's alignment there.
02:10
It doesn't make sense to spend money on I t. If it doesn't help improve the businesses performance or its bottom line.
02:17
Then we have Number four, where we evaluate the policies, standards, procedures and guidelines that we talked about in the previous section.
02:24
Those are important considerations for any organization to make sure that they have the relevant documentation that it was produced correctly. But it's being enforced. There's consequences when there are violations and so on. Number five
02:39
we're looking at the quality management system,
02:43
making sure that the organization has some way of detecting whether it's doing a good job,
02:49
whether its products or service's are upto the standard that the
02:53
mansion with the organization has decided upon
02:57
second set of of task statements. Here
03:00
we have the eye Team Angela and monitoring of controls.
03:02
That's a huge topic all unto itself.
03:06
You, If we don't have effective controls, security controls
03:10
within our environment,
03:12
then there are inevitably going to be problems with information leakage, hacking incidents and so on.
03:20
And we also can't overlook the need to monitor those controls, to know that they're working effectively
03:24
and trying to understand whether control is doing its job correctly or if it's if it's failing and therefore we have some work to do,
03:34
we'll be on to number seven.
03:36
Looking at the resource is that are invested in i t.
03:40
Doesn't make sense, as I was just mentioned a minute ago. Just spend a lot of money on initiatives,
03:46
hardware, software, licenses, training and so on if it's not going to contribute to the success of the organization, so that needs to be understood at a pretty low level
04:00
for number eight, we're looking at contracting strategies
04:04
as far as where makes sense to use,
04:08
uh,
04:09
external
04:11
resources, contractors, consultants and so on,
04:14
and we'll talk a little bit about some of the
04:16
the pros and cons of
04:18
doing things like outsourcing.
04:20
Then we go to number nine risk management.
04:24
This is something that
04:26
eyes an ongoing
04:28
effort throughout the entire life cycle of an organization.
04:30
Or you could say it's an ongoing effort throughout the life cycle of a particular system.
04:35
The scale is variable,
04:40
but the basic idea is that you want to always be
04:44
measuring your current security posture
04:46
so that you could understand whether your current level of risk is acceptable
04:50
or if it's not acceptable. It's not acceptable. Then you have to decide what to do
04:55
when those situations arise.
04:57
Then we have number 10. We're evaluating
05:00
the monitoring and assurance
05:02
processes within the organization that kind of leads back to the security controls.
05:09
Or, as I mentioned earlier section, It's difficult to, uh,
05:14
manage something if we can't measure it.
05:16
So monitor and Control is monitoring the processes
05:19
regarding things like change control, change management,
05:24
making changes to your network infrastructure. All these things need to be carefully
05:29
observed and managed so that you could understand their impact on the organization as a whole,
05:34
and we have number 11 things like business continuity and disaster recovery plans need to be well understood.
05:42
How does the business
05:43
continue to operate if it suffers from some kind of calamity, whether it's a adversarial
05:48
event or non adversarial events such as an earthquake or a blizzard?
05:55
These are all things that need to have some level of planning understood from the beginning and also verified
06:01
as a part of a D, r, P or B C
06:05
BCP in order to keep the organization running when problems happen. All right, moving on to our knowledge statements.
06:13
Get a few of these to talk about,
06:15
uh,
06:15
having some knowledge of the I T. Governance structure.
06:19
How does the management interface with your security
06:24
overlays and your security infrastructure to keep the organization and its assets safe
06:30
from theft, safe from tampering,
06:33
resistant, the hacking? And so
06:38
then we have to know the purpose of our I T strategy
06:43
that would dovetail in with why we create policies to begin with security policies, acceptable use policies.
06:50
These are all things that
06:53
impact the organization to some level,
06:56
especially if they're being correctly enforced. And we have to remember that there's some now required of the organizational structure
07:04
we talked about that in the last module a little bit,
07:09
having a good or charred knowing who reports to who has the appropriate level of authority to make decisions and so on is what we're getting at here.
07:16
Then we have,
07:17
ah, natural progression from knowledge of these rolls into what happens
07:24
when the policies are determined to be insufficient or there's a need for a new policy. How do we deal with this?
07:31
Who's responsible for
07:33
deciding what steps to take when policy is deemed to be insufficient? Or there's some new requirement because of a, uh,
07:43
you a merger or acquisition or some new
07:46
initiative? Our new business line.
07:50
New policies may need to be created to address some concerns regarding this
07:55
potential additional risk. At number five,
07:59
what is the direction of the I T.
08:01
Architectural or infrastructure?
08:05
This could be something as simple as
08:07
maintaining what you currently have in your organization with some plans down the road for expansion.
08:13
Or maybe your organization is growing very rapidly, and you need to
08:18
effectively deal with
08:20
adding more servers, more personnel, expanding your security infrastructure to accommodate
08:28
new goals.
08:31
So that's an important link there between
08:35
what the organization does and how you would help it grow. So, second set here,
08:39
Number six,
08:41
uh, we cannot
08:43
stress enough. It's important to understand laws and regulations regarding the organization's activities. Mainly, this is done to make sure that the organization stays within the law,
08:54
whether it relates to low, lower level employees or middle managers or
08:58
or executives at the sea level.
09:01
Some expectation is there to understand what the laws are and
09:07
what constitutes unlawful behaviour.
09:09
It's always to be avoided
09:13
by the auditor and everyone else Thio
09:16
to not break the laws as to
09:18
provide
09:20
opportunities for
09:20
the organization to suffer civil damages or regulatory penalties and so on.
09:26
So want to be real careful in these areas? Number seven. Knowledge of Quality Management Systems
09:31
How do you decide which system to use
09:35
to determine whether or not the quality of your products and service is is up to the level that's required?
09:41
There's a lot of thought and effort that might go into this
09:46
using maturity models. We'll talk about this like the
09:48
How do you decide whether your organization
09:54
is at a ah, beginning stage and when it might mature into a stage where you're measuring your performance and monitoring it all the way up to the point where you're optimizing that.
10:03
We'll look at some of those models a little bit later. In this chapter,
10:07
we also have to think about
10:09
optimizing our processes.
10:11
This relates back to a mature maturity model concept as well,
10:16
because once you reach the highest level of maturity, now you're optimizing
10:20
and we'll talk about why that's important. Number 10
10:24
knowledge of our I T resource and investment practices.
10:28
So that sort of relates back to some of the task statements that we talked about
10:33
from Domaine number two.
10:37
But the idea is that there's a connection between
10:39
the resources allocated to buy I t. Resource is
10:45
like servers,
10:46
um,
10:48
other hardware software licenses,
10:50
paying for staff, paying for training.
10:54
All these things are connected
10:56
at some point to the performance of the business and ultimately, the bottom line
11:01
profits.
11:01
One more set of
11:03
now statements here, Number 11
11:07
deals with how we choose suppliers and how we deal with contracts.
11:11
This may not be in an area of expertise for a typical auditor,
11:16
but they've got to be able to understand it to some level, to know where their confidence is lying
11:22
and be able to pull in other people as needed. Other subject matter experts, perhaps
11:28
to assist when
11:31
questions of dealing with third parties arrives. Risk management shows up again
11:35
as it relates to the entire enterprise.
11:39
This is a bigger picture view of risk management.
11:43
And, of course, the people at the top tier within the organization are most concerned with
11:48
the decisions that relate to the management first for the organization as a whole.
11:54
Number 13. We have ideas like bound scarred scorecards or KP eyes. Keep performance indicators.
12:01
We'll talk about what that means in a little bit
12:03
later in this module,
12:05
but this is a basically the idea, again measuring something so you can manage it,
12:11
knowing what needs to be measured and
12:13
what do the numbers really mean once you're doing this
12:16
and we have 14 R H r
12:20
There's a lot of different considerations for dealing with human resource is
12:26
how do you properly that people do you need to do background checks?
12:30
What happens when someone misbehaves?
12:33
What do you do when someone leaves the company voluntarily or what? What happens when someone gets fired? These are all things that need to be understood
12:41
so that you don't have any gaps in your dealing with those details.
12:46
Then we have business impact analysis. B i. A.
12:50
This is an important concept to think about when major changes are being considered
12:54
or when some major events have occurred and you're trying to understand
13:01
how that will impact the organization. Overall
13:05
in the last one
13:07
is standards and procedures for doing your B, C, P and D RP activities.
13:11
So there are various best practices to follow for business continuity, disaster recovery. So some level of understanding needs to be in place in order to not only
13:22
make sure that the documentation exists, but that it's being actually tested and reviewed on a regular basis.

Up Next

IT Governance and Management

What does CISA Domain 2 cover? Domain 2 of the CISA surrounds the governance and management of IT, with included topics ranging from IT monitoring and assurance practices.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor