Certified Information Systems Auditor (CISA®)

Domain 02: Governance and Management of IT

An ISACA® Certification based on CISA® 2014 Curriculum.

Copyright 2014, Simplilearn, All rights reserved.
Copyright 2012-2014, Simplilearn, All rights reserved.
Objectives

● Discuss IT Governance, Security Management and Control Frameworks

After completing
this domain, you ● Define the best Practices for Governance of Enterprise IT
will be able to: ● Recall information Security Roles and Responsibilities
● Discuss governance of Enterprise IT and Management Frameworks
● List IS Strategy, Policies, Standards and Procedures
● Describe the best Practices for Governance of Enterprise IT
● Define IT Governance Focus Areas
● Describe Organizational Structure, Roles & Responsibilities Related to IT
● Describe development and Maintenance of IT strategy and security
governance and security Management

2 Copyright 2012-2014, Simplilearn, All rights reserved.

Governance and Management of IT
Knowledge Statement 2.1

Copyright 2012-2014, Simplilearn, All rights reserved.

IT Governance, Security Management and Control

Knowledge Statement 2.1

Knowledge of IT governance, management, security and control frameworks, and related
standards, guidelines, and practices.
Explanation:

● To provide assurance to stakeholders that IT deployment is aligned with business vision, mission,
and objectives, top management may implement an IT governance framework. They will generally
include; Strategic alignment, Value delivery, Risk management, Resource management and
Performance measurement

For an introduction to Corporate Governance, please refer to the e-learning material.

4 Copyright 2012-2014, Simplilearn, All rights reserved.

IT Governance, Security Management and Control (contd.)

● Implementation of an IT governance framework will lead to:

o An IT governance framework that enables stakeholders to be assured that IT strategy is wholly
aligned to the business.
o Mitigation of risks the organization through critical controls.
o Control determination by the risk it addresses.
o Management utilizing frameworks such a COBIT, International Organization for Standardization
(ISO) among others, to set up good IT practices; monitor and improve them.
o The IS auditor using such frameworks to benchmark the practices of a particular organization.

5 Copyright 2012-2014, Simplilearn, All rights reserved.

Main Areas of Coverage

The main areas covered in this knowledge statement include:

● Information Security Governance
● IS organizational structure and responsibilities
● IS Roles and Responsibilities
● Sourcing practices
● Policies
● Reviewing Contractual commitments
● Governance of Enterprise IT
● Performance Optimization

6 Copyright 2012-2014, Simplilearn, All rights reserved.

Best Practices for Governance of Enterprise IT

Governance of Enterprise IT Governance integrates and institutionalizes good practices to ensure that
the enterprise's IT supports the business objectives. Factors leading to rise in importance of
governance of enterprise IT:
● Business managers and boards demanding a better return on investment
● Concern over high expenditure on IT
● The need to meet regulatory requirements for IT (SOX, Basel II, HIPAA etc.)
● The selection of service providers and the management of service outsourcing and acquisition
● Increasingly complex IT-related risks such as network security

7 Copyright 2012-2014, Simplilearn, All rights reserved.

Best Practices for Governance of Enterprise IT (contd.)

● IT governance initiatives that include adoption of control frameworks and good practices to help
monitor and improve critical IT activities to increase business value and reduce business risk
● The need to optimize costs by following, where possible, standardized rather than specially
developed approaches
● The growing maturity and consequent acceptance of well-regarded frameworks
● The need for enterprises to assess how they are performing against generally accepted standards
and their peers (benchmarking)

8 Copyright 2012-2014, Simplilearn, All rights reserved.

Information Security Governance

Information security governance requires strategic direction and impetus. It requires commitment,
resources, and assigning responsibility for information security management as well as means for the
board to determine whether its intent has been met.

Role of BODs/Senior Management:

Effective information security governance is achieved only by involvement of the Board of Directors
and/or senior management in:
● approving policy,
● appropriate monitoring and metrics, and
● reporting and trend analysis.

9 Copyright 2012-2014, Simplilearn, All rights reserved.

Information Security Governance (contd.)

● Members of the board need to be aware of the organization’s information assets and their
criticality to ongoing business operations.
● This can be accomplished by periodically providing the board with the high-level results of
comprehensive risk assessments and Business Impact Analysis (BIA) and business dependency
assessments of information resources.

10 Copyright 2012-2014, Simplilearn, All rights reserved.

Roles and Responsibilities—BODs

Board members should approve the assessment of key assets to be protected

● The tone at the top must be conducive to effective security governance.
● It is unreasonable to expect lower-level personnel to abide by security measures if they are not
exercised by senior management.
● Executive management should endorse security requirements
● Penalties for noncompliance must be defined, communicated and enforced.

To learn about the Importance of Information Security, please refer to the e-learning material.

11 Copyright 2012-2014, Simplilearn, All rights reserved.

Roles and Responsibilities—Senior Management

The roles and responsibilities of senior management are as follows:

Executive ● Implements effective security management governance and defines the strategic security
management objectives of an organization.

● Focuses on all security aspects of an organization.

Steering
● Should represent the respective groups or functions that are impacted by the information
Committee
security.

Chief Information
Security Officer ● Ensures that good information security practices are carried out within the organization.
(CISO)

To learn about Governance of Enterprise IT and Management Frameworks, please refer to the e-learning material.

12 Copyright 2012-2014, Simplilearn, All rights reserved.

Governance and Management of IT
Knowledge Statement 2.2

Copyright 2012-2014, Simplilearn, All rights reserved.

IS Strategy, Standards, Procedures and Policies

Knowledge Statement 2.2

Knowledge of the purpose of IT strategy, policies, standards and procedures for an organization
and the essential elements of each.
Explanation:
IT Governance requires a formal framework to be effective
● IT strategies, policies, standards and procedures should be consistent with business requirements
● Effective management and monitoring of IT
● Management controls over the decisions, direction and performance of IT
Main areas of coverage:
● Governance of Enterprise IT
● Best practices for governance of Enterprise IT
● Information systems strategy

14 Copyright 2012-2014, Simplilearn, All rights reserved.

Information Systems Strategy

An IS Strategy articulates the enterprise’s long-term intention to use Information System to improve
its business processes based on the business requirements.
When formulating the IS strategy, an enterprise must consider:
● business objectives and the competitive environment;
● current and future technologies and the costs, risks and benefits they can bring to the business;
● the capability of the IT organization and technology to deliver current and future levels of service to the
business, and the extent of change and investment this might imply for the whole enterprise;
● cost of current IT and whether this provides sufficient value to the business; and
● the lessons learned from past failures and successes.

To learn about Best Practices for Governance of Enterprise IT, please refer to the e-learning material.

15 Copyright 2012-2014, Simplilearn, All rights reserved.

IT Governance Focus Areas

The focus areas of IT governance are as follows:

Strategic Alignment Value Delivery

This focuses on ensuring the linkage of business and This is about executing the value proposition
IT plans by defining, maintaining and validating the IT throughout the delivery cycle, ensuring that IT
value proposition; and aligning IT operations with delivers the promised benefits against the strategy,
enterprise operations. concentrating on optimizing costs and proving the
intrinsic value of IT.

Risk management
Requires risk awareness by senior corporate officers,
understanding of the enterprise's appetite for risk and
compliance requirements, transparency of the
significant risks to the enterprise and embedding the
responsibilities into the organization.

16 Copyright 2012-2014, Simplilearn, All rights reserved.

Governance and Management of IT
Knowledge Statement 2.3

Copyright 2012-2014, Simplilearn, All rights reserved.

Organizational Structure, Roles and Responsibilities Related to IT

Knowledge Statement 2.3

Knowledge of the organizational structure, roles and responsibilities related to IT.

Explanation:
● Organizations must clearly define organizational structures
● Responsibilities of major functions should be outline and documented to ensure proper
segregation of duties

18 Copyright 2012-2014, Simplilearn, All rights reserved.

Main Areas of Coverage

The main areas covered in this domain include:

● IT Governing Committees
● Information Security Governance
● Organizational Change Management
● IS Roles and Responsibilities
● IS Organizational Structures and Responsibilities

● The CISA exam will not be testing specific job responsibilities as they may vary from one
organization to another. However, knowledge and understanding of those universally known is
needed. These include; business owners, information security and executive management
functions
● CISA exam may test separation of duties also called segregation of duties.

To learn about IS Roles and Responsibilities, please refer to the e-learning material.

19 Copyright 2012-2014, Simplilearn, All rights reserved.

Segregation of Duties (SoD) Matrix

The table illustrates an example of SoD matrix.

The row and

column captures
various IS duties.

Note: X indicates
incompatible
duties

20 Copyright 2012-2014, Simplilearn, All rights reserved.

Governance and Management of IT
Knowledge Statement 2.4

Copyright 2012-2014, Simplilearn, All rights reserved.

Development and Maintenance of IT strategy, Procedures, Standards and Policies

Knowledge Statement 2.4

Knowledge of the processes for the development, implementation and maintenance of IT
strategy, policies, standards and procedures.

Explanation:
● IT Strategies must be defined on business objectives
● IT Strategy should continue to address both emerging and developing business risks

Main areas of coverage

● Strategic Planning
● Information Security Governance
● Information Security Management

22 Copyright 2012-2014, Simplilearn, All rights reserved.

Strategic Planning

IS Strategic planning relates to the long-term path an enterprise wants to take in leveraging
information technology for improving its business processes. Strategic planning should ensure that:
● The plans are aligned and consistent with organization goals and objectives.
● The enterprise’s requirements for IT systems and the IT organization’s capacity to deliver new
functionality through well-governed projects are considered.

The IS auditor should pay full attention to the importance of IT Strategic planning,
taking management control practices into consideration.

To learn about Information Security Governance, please refer to the e-learning material.

23 Copyright 2012-2014, Simplilearn, All rights reserved.

Information Security Governance Framework

The information security governance framework will generally consist of:

● A comprehensive security strategy intrinsically with business objectives;
● Governing security policies that address each aspect of strategy, controls and regulation;
● A complete set of standards for each policy to ensure that procedures and guidelines comply with
policy;
● An effective security organizational structure void of conflicts of interest; and
● Institutionalized monitoring processes to ensure compliance and provide feedback on
effectiveness.

24 Copyright 2012-2014, Simplilearn, All rights reserved.

Information Security Management

Information Security Management provides the lead role to ensure that organization’s information
and information processing resources under its control are properly protected.

Information Security Management is achieved through performance measurement which entails:

● Developing Business Impact Analysis
● Disaster Recovery Plan
● Business Continuity Plans

The major component in establishing such a connection involves application of risk management
principles to assess risks to IT assets, mitigate these risks to an acceptable level.

To learn about Organization’s Technology Direction and IT Architecture (KS 2.5), please refer to the e-learning material.

25 Copyright 2012-2014, Simplilearn, All rights reserved.

Governance and Management of IT
Knowledge Statement 2.6

Copyright 2012-2014, Simplilearn, All rights reserved.

Laws, Regulations, and Industry Standards

Knowledge Statement 2.6

Knowledge of relevant laws, regulations and industry standards affecting the organization.

Explanation:
● The complexity of IT and global connectivity has led to the enation of new regulatory
requirements.
● Globally recognized compliance requirements include protection of privacy and confidentiality of
personal data, Intellectual Property rights, and reliability of financial information.

27 Copyright 2012-2014, Simplilearn, All rights reserved.

Main Areas of Coverage

The main areas covered in this domain include:

● Auditing IT Governance Structure and Implementation
● Sourcing practices
● Segregation of duties within IS
● Segregation of duties Control
● Reviewing Documentation
● Reviewing Contractual Commitments

In the CISA Exam, the IS Auditor must be aware of these globally recognized concepts;
however, knowledge of specific legislation and regulations will not be tested.

28 Copyright 2012-2014, Simplilearn, All rights reserved.

Reviewing Documentation

The following documents should be reviewed:

● IT strategies, plans and budgets
● Security policy documentation
● Organizational/functional charts
● Job descriptions
● Steering committee reports
● System development and program change procedures
● Operations procedures
● Human Resource manuals
● Quality Assurance manuals

Review of these documents should be done to determine that they were created as management authorized
! and intended and they are currently and up to date.

29 Copyright 2012-2014, Simplilearn, All rights reserved.

Governance and Management of IT
Knowledge Statement 2.7

Copyright 2012-2014, Simplilearn, All rights reserved.

Quality Management Systems

Knowledge Statement 2.7

Knowledge of quality management systems

Explanation:
● Effectiveness of IT Governance efforts is dependent on the quality management strategies and
policies in the IT Governance Framework.
● IT Strategies, policies and procedures and standards should be improved over time.
● IT Strategies, policies and procedures are effective when in use, when they meet the needs and
requirements of the organization.
● Quality management strategies measure and monitor the quality of those IT policies and
procedures based on a variety of standard frameworks.

31 Copyright 2012-2014, Simplilearn, All rights reserved.

Main Areas of Coverage

The main areas covered in this domain include:

● Maturity and process improvement models
● Quality Management
● Performance optimization

The IS auditor should be aware of quality management. However, the CISA exam does
not test specifics on any ISO standards.

32 Copyright 2012-2014, Simplilearn, All rights reserved.

Quality Management

Quality management is the process by which IS department-based processes are controlled,

measured and improved.
Areas of control for quality management may include the following:
● Software development, maintenance and implementation
● Acquisition of hardware and software
● Day-to-day operations
● Service management
● Security
● HR Management
● General Administration

A good example of quality management is ISO 9001:2008.

33 Copyright 2012-2014, Simplilearn, All rights reserved.

Governance and Management of IT
Knowledge Statement 2.8

Copyright 2012-2014, Simplilearn, All rights reserved.

Use of Maturity Models

Knowledge Statement 2.8

Knowledge of the use of maturity models

Explanation:
● Maturity and process improvement models help enterprises evaluate the current state of internal
controls in comparison to the desired state.
● Evaluating internal controls illustrates to senior management the effectiveness, compliance and
relevance of IT procedures, tools and processes in support of alignment with business needs.

35 Copyright 2012-2014, Simplilearn, All rights reserved.

Main Areas of Coverage

The main areas covered in this domain include:

● Maturity and Process Improvement Models
● Sourcing Practices
● Quality management

The IS auditor should be aware of quality management. However, the CISA exam does
not test specifics on any ISO standards.

To learn about Maturity and Process Improvement Models, please refer to the e-learning material.

36 Copyright 2012-2014, Simplilearn, All rights reserved.

Governance and Management of IT
Knowledge Statement 2.9

Copyright 2012-2014, Simplilearn, All rights reserved.

Process Optimization Techniques

Knowledge Statement 2.9

Knowledge of process optimization techniques

Explanation:
● Optimization techniques eliminate unnecessary activities thus increase efficiency.
● Process optimization requires evaluating current state vs. the desired state and identifying
activities to migrate to the desired state.

Main Areas of Coverage:

● Performance Optimization

38 Copyright 2012-2014, Simplilearn, All rights reserved.

Performance Optimization

Performance optimization refers to the process of improving the productivity of information systems
to the highest level possible without unnecessary, additional investment in the IT infrastructure.

Performance optimization is driven by performance indicators (KPIs) based on business

operations/processes, strategic IT solutions, and corporate strategic objectives.
The broad phases of performance measurement include:
● establishing and updating performance measures;
● establishing accountability for performance measures;
● gathering and analyzing performance measures; and
● reporting and using performance information.

To learn about Performance Optimization—Methodologies and Tools, please refer to the e-learning material.

39 Copyright 2012-2014, Simplilearn, All rights reserved.

Governance and Management of IT
Knowledge Statement 2.10

Copyright 2012-2014, Simplilearn, All rights reserved.

IT Resource Investment and Allocation Practices

Knowledge Statement 2.10

Knowledge of IT resource investment and allocation practices, including prioritization criteria
(e.g. portfolio management, value management, project management).

Explanation:
● IT resources are deployed to ensure service delivery and value.
● IT resource investment and allocation practices are essential to justify the investment of IT
resources to senior management.
● IT initiatives should be evaluated using techniques such as: cost/benefit analysis and planned and
forecasted resource consumption. This ensures that IT initiatives meet the needs of the
organization.

41 Copyright 2012-2014, Simplilearn, All rights reserved.

Main Areas of Coverage

The main areas covered in this domain include:

● IT Investment and Allocation Practices
● Financial Management Practices

42 Copyright 2012-2014, Simplilearn, All rights reserved.

IT Investment and Allocation Practices

Enterprise face limited resources in terms of people and money that can be used to allocate to IT
investments. IT investments can provide financial benefits such as cost reduction and non financial
benefits such as improved customer satisfaction.

Information Technology value is determined by the relationship between what the organization will
pay and what it will receive. Key governance practices to increase the value of IT include:
● Evaluate value optimization
● Direct value optimization
● Monitor value optimization

43 Copyright 2012-2014, Simplilearn, All rights reserved.

Implementing IT Portfolio Management

Implementing IT Portfolio Management methods include:

● risk profile analysis;
● diversification of projects,
● infrastructure and technologies;
● continuous alignment with business goals; and
● continuous improvement.

44 Copyright 2012-2014, Simplilearn, All rights reserved.

Financial Management Practices

Financial management is a critical element of all business function, in situation where user-pays
scheme (a form of chargeback) can improve application monitoring of IS expenses and available
resources.

IS budgets: Allows for forecasting, monitoring and analyzing financial information.

● The budget allows for an adequate allocation of funds, especially in an IS environment where
expenses can be cost-intensive.
● Budget should be linked to short and long range IT plans.

45 Copyright 2012-2014, Simplilearn, All rights reserved.

Financial Management Practices (contd.)

Key points in Software development are as follows:

● IS auditor should know how an enterprise tracks costs used in software development.
● This will include understanding the requirements of treating costs related to software
development that is developed for internal use or one that is used for sale.

46 Copyright 2012-2014, Simplilearn, All rights reserved.

Governance and Management of IT
Knowledge Statement 2.11

Copyright 2012-2014, Simplilearn, All rights reserved.

IT Supplier Selection, Contract and Relationship Management, Performance Monitoring

Knowledge Statement 2.11

Knowledge of IT supplier selection, contract management, relationship management and
performance monitoring processes including third-party outsourcing relationships.

Explanation:
● The increasing trend of outsourcing IT infrastructure to third-party service providers, it is vital to know the
latest trends in contracting strategies, processes and contract management practices.
● Outsourcing may also introduce risks.

Main Areas of Coverage:

● Reviewing Contractual Commitments
● Sourcing Practices
● IS Roles and Responsibilities

48 Copyright 2012-2014, Simplilearn, All rights reserved.

Reviewing Contractual Commitments

The IS Auditor should be familiar with the Request for Proposal (RFP) process and know what needs to
be reviewed in an RFP. Issues that should be addressed will cover:
● Service levels
● Right to audit or third party audit reporting
● Software escrow
● Penalties for non-compliance
● Adherence to security policies and procedures
● Protection of customer information
● Contract change processes
● Contract termination and any associated penalties

49 Copyright 2012-2014, Simplilearn, All rights reserved.

Software Contracts

Software contracts that might be reviewed by an IS auditor include:

● Development of contract requirements and service levels
● Contract bidding process
● Contract acceptance
● Contract maintenance
● Contract compliance

To learn about Enterprise Risk Management (KS 2.12), please refer to the e-learning material.

50 Copyright 2012-2014, Simplilearn, All rights reserved.

Governance and Management of IT
Knowledge Statement 2.13

Copyright 2012-2014, Simplilearn, All rights reserved.

Practices for Monitoring and Reporting of IT Performance

Knowledge Statement 2.13

Knowledge of practices for monitoring and reporting of IT performance (e.g., balanced
scorecards, key performance indicators [KPIs]).
Explanation:
● IT Governance progress must be measured and monitored using effective tools such as balanced scorecards (BSCs),
key performance indicators (KPIs)
● The results provide a clear indication of the capabilities of the organization to meet its objectives
● It also helps to shape the IT Strategy over the long-term

Main Areas of Coverage:

● IT Balanced Scorecard
● Performance Optimization

52 Copyright 2012-2014, Simplilearn, All rights reserved.

IT Balanced Scorecard

The IT balanced scorecard (BSC) is a process management evaluation technique that can be applied to
the IT governance process in assessing IT functions and processes. A balanced scorecard measures:
● financial performance;
● customer/user satisfaction;
● internal/operational processes; and
● the ability to learn and innovate.

53 Copyright 2012-2014, Simplilearn, All rights reserved.

IT Balanced Scorecard (contd.)

The scorecard aims to:

● facilitate management reporting to the Board;
● foster consensus among key stakeholders about it’s strategic aims;
● demonstrate its effectiveness and added value; and
● communicate IT performance, risks, and capabilities.

54 Copyright 2012-2014, Simplilearn, All rights reserved.

IT Balanced Scorecard (contd.)

The scorecard aims to illustrate the relationship of financial, internal business processes, the
customer and learning and growth in determining a balanced score.

To view an example of an IT Balanced Scorecard, please refer to the e-learning material.

55 Copyright 2012-2014, Simplilearn, All rights reserved.

Governance and Management of IT
Knowledge Statement 2.14

Copyright 2012-2014, Simplilearn, All rights reserved.

IT Management of Human Resources

Knowledge Statement 2.14

Knowledge of IT human resources (personnel) management practices used to invoke the
business continuity plan.
Explanation:
● Automated business processes has created challenges in HR Management and in addressing control gaps which are
created when job roles are combined
● Performance evaluation, compensation plans and succession planning are important
● Understanding of HR issues and assignment of responsibilities as they relate to the development of execution plans

57 Copyright 2012-2014, Simplilearn, All rights reserved.

Main Areas of Coverage

The main areas covered in this domain include:

● Human Resource Management
● Organizational Change Management
● Development of Business Continuity Plans
● Other Issues in Plan Development
● Evaluation of Security at Offsite Facility
● Organization and Assignment of Responsibilities

58 Copyright 2012-2014, Simplilearn, All rights reserved.

Organizational Change Management

Organizational change management involves use of a defined and documented process to identify
and apply technology improvements.
● The IS department is the focal point for such changes by leading or facilitating change in the
organization.
● Once senior management support is obtained to move forward with the changes or projects, the IS
department can begin working with each functional area and their management to obtain support
for the changes.
● User feedback should be obtained throughout the project, including validation of the business
requirements and training on and testing of the new or changed functionality.

59 Copyright 2012-2014, Simplilearn, All rights reserved.

Development of Business Continuity Plans and Consideration of Other issues

The various factors that should be considered when developing business continuity plans are:
● Pre-disaster readiness covering incident response management to address all relevant incidents
affecting business processes
● Procedures for declaring a disaster
● Circumstances under which a disaster should be declared
● Identification of persons responsible for the plan
● The step by step explanation of the recovery process

60 Copyright 2012-2014, Simplilearn, All rights reserved.

Evaluation of Security at Offsite Facility

The security of offsite facility should be evaluated to ensure that it has proper physical and
environmental access controls. These include:
● Limit users access
● Use of raised floors, humidity controls and temperature controls
● Use of uninterruptible power supply, smoke detectors and fire extinguishers
● Equipment should be calibrated frequently

61 Copyright 2012-2014, Simplilearn, All rights reserved.

Governance and Management of IT
Knowledge Statement 2.15

Copyright 2012-2014, Simplilearn, All rights reserved.

Business Impact Analysis related to Business Continuity Planning

Knowledge Statement 2.15

Knowledge of Business Impact Analysis (BIA) related to business continuity planning (BCP).

Explanation:
● The IS Auditor should determine whether BIA and BCP are suitably aligned.
● To be effective and efficient, BCP should be based on a well-documented BIA.
● BIA drives the focus of the BCP/ disaster recovery (DRP) process efforts of the organisation and helps in balancing
costs to be incurred with the corresponding benefits to the organisation.

Main Areas of Coverage:

● Business Impact Analysis

63 Copyright 2012-2014, Simplilearn, All rights reserved.

Business Impact Analysis

Business Impact Analysis is a component of a Business Continuity Plan (BCP) and helps in identifying
events that could impact continuity of operations and assessing the impact of these events.

BIA helps an organization to:

● Gain an understanding of priorities and time requirements for the recovery of business functions
● Gather information regarding the organization’s current recovery capabilities.

64 Copyright 2012-2014, Simplilearn, All rights reserved.

Business Impact Analysis—Activities, Approval, and Approaches

Activities involved in BIA are:

● Understanding the organization.
● Key business processes
● Roles involved

Approvals required in BIA are from:

● IT personnel
● End users
● Senior management

Approaches of BIA are:

● Questionnaires, interviews, or brainstorming sessions
65 Copyright 2012-2014, Simplilearn, All rights reserved.
Business Impact Analysis—Points to Consider

Before analyzing the business impact analysis, it is important to analyze the following questions:
● What are the organization’s business processes?
● What are the critical information resources related to the critical business processes?
● What is the critical recovery time period for information resources in which business processing
must be resumed before significant or unacceptable losses are suffered?

66 Copyright 2012-2014, Simplilearn, All rights reserved.

Business Impact Analysis—RTO and RPO

Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are discussed here.
● Recovery Time Objective (RTO): This is acceptable/allowable downtime incase of a disruption to
operations (determines processes and technology used for backup and recovery e.g. data tapes or
disk).
● Recovery Point Objective (RPO): This is the acceptable/allowable data loss incase of a disruption to
operations (determines frequency of backup).

67 Copyright 2012-2014, Simplilearn, All rights reserved.

Disruption Cost Vs. Recovery Costs

The diagram shows the relationship between Disruption costs and Recovery costs.
● The two should be balanced to attain an optimal level of protection of key information assets, that
is, to obtain an optimal RPO and RTO.

68 Copyright 2012-2014, Simplilearn, All rights reserved.

Disruption Cost Vs. Recovery Costs (contd.)

If the business continuity strategy aims at a longer recovery time, it will be less expensive than a more
stringent requirement, but may be more susceptible to downtime costs spiraling out of control.
● Downtime cost of the disaster in the short run (e.g., hours, days, weeks), grows quickly with time,
where the impact of a disruption increases the longer it lasts.
● At a certain moment, it stops growing, reflecting the moment or point when the business can no
longer function.

69 Copyright 2012-2014, Simplilearn, All rights reserved.

Disruption Cost Vs. Recovery Costs (contd.)

● The cost of downtime increasing with time .It has many components (depending on the industry
and the specific company and circumstances), such as:
o cost of idle resources (e.g., in production),
o drop in sales (e.g., orders),
o financial costs (e.g., not invoicing nor collecting),
o Delays (e.g., procurement) and
o indirect costs (e.g., loss of market share, image, and goodwill).

70 Copyright 2012-2014, Simplilearn, All rights reserved.

Governance and Management of IT
Knowledge Statement 2.16

Copyright 2012-2014, Simplilearn, All rights reserved.

Business Continuity Plan (BCP)

Knowledge Statement 2.16

Knowledge of the standards and procedures for the development and maintenance of the
business continuity plan (BCP) and testing methods.

Explanation:
● The IS Auditor needs to understand the life cycle of BCP/DRP plan development and maintenance
and the types of BCP tests, factors to consider when choosing the appropriate test scope, methods
for observing recovery tests and analyzing test results.

72 Copyright 2012-2014, Simplilearn, All rights reserved.

Main Areas of Coverage

The main areas covered in this domain include:

● IS Business Continuity Planning
● Business Continuity Planning Process
● Business Continuity Policy
● Business Continuity Planning Incident Management
● Development of Business Continuity Plans
● Other Issues in Plan Development
● Components of a Business Continuity Plan
● Plan Testing

73 Copyright 2012-2014, Simplilearn, All rights reserved.

Components of an Effective BCP

The components of a Business Continuity Plan depends on organization size and requirements. It may
include:
● Business resumption plan
● Continuity of operations plan
● Continuity of support plan
● Crisis communication plan
● Incidence response plan
● Disaster recovery plan
● Occupant emergency plan

74 Copyright 2012-2014, Simplilearn, All rights reserved.

Components to be Agreed Upon

The components that require agreeing on:

● Governing policies
● Goals/requirements/product
● Alternative facilities
● Critical IS resources to deploy
● Data and systems
● Staff required/responsible for recovery tasks
● Key decision making personnel
● Resources to support deployment
● Backup of required supplies, other personnel
● Schedule of prioritized activities
75 Copyright 2012-2014, Simplilearn, All rights reserved.
Business Continuity Plan Testing

BCP testing involves:

● Testing the developed plans help determine if they work and identify areas that need
improvement.
● Specifications such as objective and scope of the test, test execution, and pretest.
● Actual testing of plan by post-test, paper test, preparedness test, full operational test.
● Documentation of test results which includes document observations, problems, resolutions to
facilitate actual recovery in a real disaster.
● Analysis of the results obtained against specifications set in time, amount, count, and accuracy.

76 Copyright 2012-2014, Simplilearn, All rights reserved.

Business Continuity Plan Test Execution

BCP test can be executed by conducting pre-test, actual test, and post-test.
● Pre-test: The set of actions necessary to set the stage for the actual test. This ranges from placing
tables in the proper operations recovery area to transporting and installing backup telephone
equipment.
● Actual test: This is the real action of the business continuity test.

o Actual operational activities are executed to test the specific objectives of the BCP.

o This is the real action of the business continuity test.

o Actual operational activities are executed to test the specific objectives of the BCP.

o This is the actual test of preparedness to respond to an emergency.

77 Copyright 2012-2014, Simplilearn, All rights reserved.

Business Continuity Plan—Post-Test

The BCP Post-test stage refers to the cleanup of group activities.

● This stage comprises assignments ensuring all resources are in their previous state.
● It also includes formally evaluating the plan and implementing indicated improvements.

78 Copyright 2012-2014, Simplilearn, All rights reserved.

Types of BCP Tests

There are three types of Business Continuity Plan tests.

Desk-Based Evaluation or Paper Test Preparedness Test

This is a walk-through of the plan, involving the key It is a limited form of the full test, whereby actual
players in the plan's implementation who reason out resources are used in the replication of a system
what might happen in a specific type of service outage. It is performed frequently on diverse
outage. They may walk through the entire plan or just elements of the plan, may be a cost-effective testing
a portion. a DRP and enables incremental improvements.

Full Operational Test

This is one step away from an actual service
disruption. The organization should have tested the
plan well on paper and locally before endeavoring to
completely shut down operations. For purposes of
the BCP testing, this is the disaster.

79 Copyright 2012-2014, Simplilearn, All rights reserved.

Domain Two Exam Quick Pointers

1. A bottom-up approach to the development of organizational policies if often driven by risk

assessment.
2. An IS Auditor’s primary responsibility is to advice senior management of the risk involved in not
implementing proper segregation of duties, such as having the system analyst /programmer do
system administration.
3. Data and systems owners are accountable for maintaining appropriate security measures over
information asset.
4. Business unit management is responsible for implementing cost effective controls in an automated
system.

80 Copyright 2012-2014, Simplilearn, All rights reserved.

Domain Two Exam Quick Pointers (contd.)

5. Proper segregation of duties prohibits a system analyst from performing quality assurance
functions (it is difficult for us to poke holes in our own work).
6. The primary reason an IS Auditor reviews an organization chart is to better understand the
responsibilities and authority of individuals.
7. If an IS auditor observes that project-approval procedures do not exist, the IS auditor should
recommend to management that formal approval procedures be adopted and documented.
8. Ensuring that security and control policies support business and IT Objectives is a primary
objective of an IT security polices audit.
9. The board of directors is ultimately accountable for developing an IS security policy.

81 Copyright 2012-2014, Simplilearn, All rights reserved.

Domain Two Exam Quick Pointers (contd.)

10. When auditing third-party service providers, an auditor should be concerned with ownership of
program and files, a statement of due care and confidentiality, and the capability for continued
service of the service provider in the occurrence of a disaster.
11. Proper Segregation of Duties (SoD) normally prohibits a LAN administrator from having
programming responsibilities.
12. When performing an IS Strategy audit, an IS Auditor should review both short term (one year).
and long-term (three-to five-year IS Strategies, interview corporate management personnel and
ensure that external environment has been considered. The auditor should not focus on
procedures in an audit of IS Strategy.

82 Copyright 2012-2014, Simplilearn, All rights reserved.

Domain Two Exam Quick Pointers (contd.)

13. Management personnel and ensure that external environment has been considered. The auditor
should not focus on procedures in an audit of IS Strategy.
14. Business Impact Analysis (BIA) is an exercise that allow an organization to understand the cost of
interruption and identify which applications and processes are most critical to the continued
functioning of the organization.(done by setting RPOs and RTOs).
15. Recovery Time Objective (RTO) is acceptable/allowable downtime incase of a disruption to
operations (determines processes and technology used for backup and recovery e.g. data tapes
or disk).
16. Recovery Point Objective (RPO) is the acceptable/allowable data loss incase of a disruption to
operations (determines frequency of backup).

83 Copyright 2012-2014, Simplilearn, All rights reserved.

Domain Two Exam Quick Pointers (contd.)

17. Above all else, an IS strategy must support the business objectives of the organization.
18. IS assessment methods enable IS management to determine whether the activities of the
organization differ from the planned or expected levels.
19. Batch control reconciliations is a compensatory control of mitigating inadequate Segregation of
duties.
20. An audit of the client’s business plan should be reviewed before the organization’s IT strategic
plan review.
21. Allowing the programmers to directly patch or change code in production programs increases the
risk of fraud.

84 Copyright 2012-2014, Simplilearn, All rights reserved.

Quiz

Copyright 2012-2014, Simplilearn, All rights reserved.

 QUIZ
To support an organization's goals, an IS department should have

a. a leading-edge technology.

b. plans to acquire new hardware and software.

c. a low-cost philosophy.

d. long- and short-range plans.

86 Copyright 2012-2014, Simplilearn, All rights reserved.

 QUIZ
To support an organization's goals, an IS department should have

a. a leading-edge technology.

b. plans to acquire new hardware and software.

c. a low-cost philosophy.

d. long- and short-range plans.

Answer: d.
Explanation: To ensure its contribution to the realization of an organization's overall goals,
the IS department should have long- and short-range plans that are consistent with the
organization's broader plans for attaining its goals.
Copyright 2012-2014,Simplilearn,All rights reserved

87 Copyright 2012-2014, Simplilearn, All rights reserved.

 QUIZ Which of the following is the BEST information source for management to use as an aid
2 in the identification of assets that are subject to laws and regulations?

a. Security incident summaries

b. Vendor best practices

c. CERT coordination center

d. Significant contracts

88 Copyright 2012-2014, Simplilearn, All rights reserved.

 QUIZ Which of the following is the BEST information source for management to use as an aid
2 in the identification of assets that are subject to laws and regulations?

a. Security incident summaries

b. Vendor best practices

c. CERT coordination center

d. Significant contracts

Answer: d.
Explanation: Contractual requirements are one of the sources that should be consulted to
identify the requirement for management of information assets.
Copyright 2012-2014,Simplilearn,All rights reserved

89 Copyright 2012-2014, Simplilearn, All rights reserved.

 QUIZ An IS auditor is reviewing a contract management process to determine the financial
viability of a software vendor for a critical business application. An IS auditor should
3 determine whether the vendor being considered:

a. Can deliver on the immediate contract

b. Is of similar financial standing as the organization

c. Has significant financial obligations that can impose liability to the organization

d. Can support the organization in the long term

90 Copyright 2012-2014, Simplilearn, All rights reserved.

 QUIZ An IS auditor is reviewing a contract management process to determine the financial
viability of a software vendor for a critical business application. An IS auditor should
3 determine whether the vendor being considered:

a. Can deliver on the immediate contract

b. Is of similar financial standing as the organization

c. Has significant financial obligations that can impose liability to the organization

d. Can support the organization in the long term

Answer: d.
Explanation: The long term viability of a vendor is essential for deriving maximum value for
the organization. It is more likely that a financial sound vendor would be in business for a
long period of time.
Copyright 2012-2014,Simplilearn,All rights reserved

91 Copyright 2012-2014, Simplilearn, All rights reserved.

 QUIZ An organization having a number of offices across a wide geographical area has developed a disaster
recovery plan. Using actual resources, which of the following is the MOST cost-effective test of the
4 disaster recovery plan?

a. Full operational test

b. Preparedness test
c. Paper test

d. Regression test

92 Copyright 2012-2014, Simplilearn, All rights reserved.

 QUIZ An organization having a number of offices across a wide geographical area has developed a disaster
recovery plan. Using actual resources, which of the following is the MOST cost-effective test of the
4 disaster recovery plan?

a. Full operational test

b. Preparedness test
c. Paper test

d. Regression test

Answer: b.
Explanation: A preparedness test is performed by each local office to test the adequacy of
the preparedness for disaster recovery.
Copyright 2012-2014,Simplilearn,All rights reserved

93 Copyright 2012-2014, Simplilearn, All rights reserved.

 QUIZ
Which of the following is the MOST important action in recovering from a cyber-attack?
5

a. Creating an incident response team

b. Using cyber-forensic investigators

c. Executing a business continuity plan

d. Filing an insurance claim

94 Copyright 2012-2014, Simplilearn, All rights reserved.

 QUIZ
Which of the following is the MOST important action in recovering from a cyber-attack?
5

a. Creating an incident response team

b. Using cyber-forensic investigators

c. Executing a business continuity plan

d. Filing an insurance claim

Answer: c.
Explanation: The most important key step in recovering from cyber attacks is the execution
of a business continuity plan to quickly and cost-effectively recover critical systems,
processes and data.
Copyright 2012-2014,Simplilearn,All rights reserved

95 Copyright 2012-2014, Simplilearn, All rights reserved.

Summary

Here is a quick ● An objective of corporate governance is to resolve the conflicting

recap of what we objectives of exploiting available opportunities to increase stakeholder
have learned in this value while keeping the organization’s operations within the limits
domain: ● IT governance is the responsibility of the board of directors and executive
management,
● Governance of enterprise IT is a governance view that ensures that
information and related technology support and enable the enterprise
strategy and the achievement of enterprise objectives;
● An IT strategy committee monitors IT value, risks and performance and
provides information to the board to support decision making on IT
strategies.

96 Copyright 2012-2014, Simplilearn, All rights reserved.

Summary

Here is a quick ● IT governance encompasses minimizing IT risks to the organization

recap of what we ● Risks are measured using a qualitative analysis (defining risks in terms of
have learned in this high/medium/low); semi-qualitative analysis (defining risks according to a
domain: numeric scale) or quantitative analysis (applying several values to risk,
including financial, and calculating the risk’s probability and impact).
outweigh the costs.
● The purpose of segregation (or separation) of duties is to prevent fraud
and error by splitting tasks and authority to accomplish a process among
multiple employees or managers.

97 Copyright 2012-2014, Simplilearn, All rights reserved.

 This concludes the domain on IT Governance and Management.

The next domain covers IS acquisition, development, and implementation.

An ISACA® Certification based on CISA® 2014 Curriculum.

Copyright 2014, Simplilearn, All rights reserved.
Copyright 2012-2014, Simplilearn, All rights reserved.