The system by which business corporations are directed and controlled. Set of responsibilities used by management to provide strategic direction.
Governance of Enterprise IT (GEIT)
Stewardship of IT resources on behalf of the stakeholders. Directs IT to ensure that IT performance meets the objectives of aligning IT with the enterprise's objectives.
Aspects of GEIT that need to be assessed by the IS auditor
How enterprise governance and GEIT are aligned
Alignment of the IS function w/ the org's mission, vision, values, obj and strategies
Achievement of performance obj
Legal, environmental, etc requirements
Control environment of org
IR w/in the IS env
Elements of Balanced Score Card (BSC)
Basic outcomes of effective security governance
Risk Management Compliance
Enterprise Architecture (EA)
Documenting an org's IT assets in a structured manner to facilitate understanding, management and planning for IT investments.
COBIT Process Assessment Model (PAM)
Ref for capability assessments of an organizations current IT processes. Defines the min set of requirements for conducting an assessment to ensure that outputs are consistent, repeatable and representative of the processes assessed.
Software process improvement (SPI) program model. Guide enterprises in planning and implementing effective software process improvement programs.
Five phases of the IDEAL model
Key governance practices in the COBIT 5 EDM02 Ensure Benefits Delivery Process
Evaluate value optimization
Direct value opt
Monitor value opt
Advantage of IT Portfolio Management over BSC
Agility in adjusting investments. BSC doesn't have oversight and control of budgets in goal.
Process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives and deciding what countermeasures to take in reducing risk.
Developing a risk management plan
Establish the purpose of the risk management plan
Assign responsibility for the risk management plan
COBIT 5 APO12 Manage Risk practices
Maintain a risk profile
Define a risk management action portfolio
Respond to risk
What is an impact as it relates to threats?
The result of a threat agent exploiting a vulnerability
Probability of occurrence X Magnitude to impact
Qualitative Analysis Method - Risk management
Use words or descriptive rankings to describe the impacts or likelihood (high, med, low)