Did you know Cybrary has FREE video training? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
This lesson covers Domain 2; IT Governance. This lessons discusses the following task statements: 1. Evaluating the effectiveness of IT Governance 2. Evaluating the IT organizational structure 3. Evaluating the IT strategy 4. Evaluating IT policies within the organization 5. Evaluating the adequacy of the quality management system 6. Evaluating IT Management and monitor of controls 7. Evaluating IT resource investment 8. Evaluating IT contracting strategies 9. Evaluating risk management practices 10. Evaluating monitoring and assurance practices 11. Evaluating the businesses continuity plan This lesson also discusses the following knowledge statements: 1. Knowledge of IT governance and management 2. Knowledge of the purpose of IT strategy 3. Knowledge of organizational structure and roles and how it relates to IT 4. Knowledge of the process for the development of IT strategies 5. Knowledge of the organizations technological direction 6. Knowledge of relevant laws 7. Knowledge of quality management systems 8. Knowledge in using maturity models 9. Knowledge of Process optimization techniques 10. Knowledge of IT resource investment 11. Knowledge of IT supplier selection 12. Knowledge of enterprise risk management 13. Knowledge of practices for reporting IT performance 14. Knowledge of IT human resource (HR) management 15. Knowledge of Business Impact Analysis (BIA) 16. Knowledge of procedures for continuity in business [toggle_content title="Transcript"] Hello. Welcome to domain number two in the preparation for your CISA exam. In this domain we'll be talking about IT governance. This comprises approximately 14% of the exam, just like domain number one did. So, very similar in the amount of content here. What do we mean when we talk about governance? Basically it's a way of describing the concept of having the appropriate level of authority and control over what an organization does. How it does it, who does it, what authority other people have, and being able to measure these things in order to understand whether the governance philosophy or governance policies are actually being used effectively. It also relates to our leadership because you can't govern something if you're not in a leadership position. This stands to reason. So we have several task statements for domain number two. We start with the first one; evaluating the effectiveness of the governance structure. So we're talking about decisions and directions: trying to understand some performance indicators. Then number two; you are looking at the IT organizational structure, as it relates to human resources or personnel. whether or not management is properly supporting HR's objectives to support the business objectives. And then we have number three, the IT strategy. There's a lot that goes into the strategy for IT. We'll get into some lower level detail about that, but knowing what direction IT is heading in, understanding its requirements for funding and for staffing are important considerations. Also, the IT strategy must also be compared with the objectives of the business. Trying to make sure there's alignment there. It doesn't make sense to spend money on IT if it doesn't help improve the businesses performance or its bottom line. Then we have number four where we evaluate the policies, standards, procedures and guidelines that we talked about in the previous section. Those are important considerations for any organization to make sure that they have the relevant documentation, that it was produced correctly, that it's being enforced, that there's consequences, when there are violations and so on. Number five, we're looking at the quality management system. Making sure that the organization has some way of detecting whether it's doing a good job. Whether its products or services are up to the standard that the manager of the organization has decided upon. Second set of task statements here - We have the IT management and monitoring of controls. That's a huge topic all unto itself. If we don't have effective security controls within our environment, then there are inevitably going to be problems with information leakage, hacking incidents, and so on. We also can't overlook the need to monitor those controls to know that they're working effectively, and trying to understand whether a control is doing its job correctly or if it's failing and therefore we have some work to do. Moving on to number seven, looking at the resources that are invested in IT. It doesn't make sense, as I was just mentioning a minute ago, to spend a lot of money on initiatives or hardware, software, licenses, training and so on, if it's not going to contribute to the success of the organization. So that needs to be understood at a pretty low level. For number eight we're looking at contracting strategies. As far as where it makes sense to use external resources; contractors, consultants and so on. We'll talk a little bit about some of the pros and cons of doing things like outsourcing. Then we go to number nine: risk management. This is something that is an ongoing effort throughout the entire life-cycle of an organization. Or you could say it's an ongoing effort throughout the life-cycle of a particular system. The scale is variable. But the basic idea is that you want to always be measuring your current security posture so that you can understand whether your current level of risk is acceptable. Or if it's not acceptable. If it's not acceptable then you have to decide what to do when those situations arise. Then we have number ten where we're evaluating the monitoring and assurance processes within the organization. That kind of leads back to the security controls. Or, as I mentioned in an earlier section, it's difficult to manage something if we can't measure it. So monitoring controls, monitoring the processes regarding things like change control change management, making changes to your network infrastructure, all these things need to be carefully observed and managed so that you can understand their impact on the organization as a whole. Then we have number eleven: things like business continuity and disaster recovery plans need to be well understood. How does the business continue to operate if it suffers from some kind of calamity? Whether it's an adversarial event or non-adversarial event such as an earthquake or a blizzard? These are all things that need to have some level of planning understood from the beginning and also verified as a part of a DRP or BCP in order to keep the organization running when problems happen. Alright, moving on to our knowledge statements. We've got a few of these to talk about. Having some knowledge of the IT governance structure. How does the management interface with your security overlays and your security infrastructure to keep the organization and its assets safe from theft, safe from tampering, resistant to hacking, and so on? Then we have to know the purpose of our IT strategy. That will dovetail in with why we create IT policies to begin with; security policies. Acceptable use policies. These are all things that impact the organization to some level, especially if they're being correctly enforced. Then we have to remember that there's some knowledge required of the organizational structure. We talked about that in the last module a little bit. Having a good ORG chart, knowing who reports to whom, who has the appropriate level of authority to make decisions, and so on, is what we're getting at here. Then we have a natural progression from knowledge of these roles into what happens when the policies are determined to be insufficient, or there's a need for a new policy? How do we deal with this? Who's responsible for deciding what steps to take when a policy is deemed to be insufficient or there's some new requirement because of a merger or an acquisition or some new initiative or new business line? New policies may need to be created to address some concerns regarding this potential additional risk. Then number five: what is the direction of the IT architecture or infrastructure? This could be something as simple as maintaining what you currently have in your organization with some plans down the road for expansion. Or maybe your organization is growing very rapidly and you need to effectively deal with adding more servers, more personnel, expanding your security infrastructure to accommodate new goals. So that's an important link there between what the organization does and how you would help it grow. So, second set here. Number 6, we cannot stress enough that it's important to understand laws and regulations regarding the organization's activities. Mainly this is done to make sure that the organization stays within the law - Whether it relates to lower level employees or middle managers, or executives at the C-level. Some expectation is there to understand what the laws are and what constitutes unlawful behavior. It's always to be avoided by the auditor and everyone else to not break the laws as to provide opportunities for the organization to suffer civil damages or regulatory penalties, and so on. So we want to be real careful in these areas. Number 7: knowledge of quality management systems. How do you decide which system to use to determine whether or not the quality of your products and services is up to the level that's required? There's a lot of thought and effort that might go into this, using maturity models. We'll talk about this, like how do you decide whether your organization is at a beginning stage and when it might mature into a stage where you're measuring your performance and monitoring it, all the way up to the point where you're optimizing that? We'll look at some of those models a little bit later in this chapter. We also have to think about optimizing our processes. This relates back to a maturity model concept as well, because once you've reached the highest level of maturity now you're optimizing. We'll talk about why that's important. Number 10: knowledge of our IT resource and investment practices. So that sort of relates back to some of the task statements that we talked about for domain number two. The idea is that there's a connection between the resources allocated to buy IT resources; like servers, other hardware, software, licenses, paying for staff paying for training. All these things are connected at some point to the performance of the business and ultimately the bottom line profits. One more set of knowledge statements here. Number 11 deals with how we choose suppliers and how we deal with contracts. This may not be an area of expertise for a typical auditor, but they've got to be able to understand it to some level , to know where their competencies lie and be able to pull in other people as needed; other subject matter experts, perhaps, to assist when questions of dealing with third-parties arise. Risk management shows up again, as it relates to the entire enterprise. This is a bigger picture view of risk management. Of course, the people at the top tier within the organization are most concerned with the decisions that relate to the management of risk for the organization as a whole. Number 13: we have ideas like balanced scorecards or KPIs: key performance indicators. We'll talk about what that means a little bit later in this module. This is basically the idea, again: measuring something so you can manage it. Knowing what needs to be measured and what do the numbers really mean once you're doing this? Then we have number 14: our HR. There's a lot of different considerations for dealing with human resources. How do you properly vet people? Do you need to do background checks? What happens when someone misbehaves? What do you do when someone leaves the company voluntarily? What happens when someone gets fired? These are all things that need to be understood so that you don't have any gaps in your dealing with those details. Then we have business impact analysis: BIA. This is an important concept to think about when major changes are being considered, or when some major events have occurred and you're trying o understand how that will impact the organization overall. The last one is standards and procedures for doing your BCP and DRP activities. So there are various best practices to follow for business continuity and disaster recovery. So some level of understanding needs to be in-place in order to not only make sure that the documentation exists but that it's being actually tested and reviewed on a regular basis. [/toggle_content]