-
Corporate Governance
The system by which business corporations are directed and controlled. Set of responsibilities used by management to provide strategic direction.
-
Governance of Enterprise IT (GEIT)
Stewardship of IT resources on behalf of the stakeholders. Directs IT to ensure that IT performance meets the objectives of aligning IT with the enterprise's objectives.
-
Aspects of GEIT that need to be assessed by the IS auditor
- How enterprise governance and GEIT are aligned
- Alignment of the IS function w/ the org's mission, vision, values, obj and strategies
- Achievement of performance obj
- Legal, environmental, etc requirements
- Control environment of org
- IR w/in the IS env
- IT invest/expenditure
-
Elements of Balanced Score Card (BSC)
- Mission
- Strategies
- Measure
- Sources
-
Basic outcomes of effective security governance
- Strategic alignment
- Risk Management Compliance
- Value Delivery
-
Enterprise Architecture (EA)
Documenting an org's IT assets in a structured manner to facilitate understanding, management and planning for IT investments.
-
COBIT Process Assessment Model (PAM)
Ref for capability assessments of an organizations current IT processes. Defines the min set of requirements for conducting an assessment to ensure that outputs are consistent, repeatable and representative of the processes assessed.
-
IDEAL Model
Software process improvement (SPI) program model. Guide enterprises in planning and implementing effective software process improvement programs.
-
Five phases of the IDEAL model
- Initiating
- Diagnosing
- Establishing
- Acting
- Learning
- (IDEAL)
-
Key governance practices in the COBIT 5 EDM02 Ensure Benefits Delivery Process
- Evaluate value optimization
- Direct value opt
- Monitor value opt
-
Advantage of IT Portfolio Management over BSC
Agility in adjusting investments. BSC doesn't have oversight and control of budgets in goal.
-
Risk Management
Process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives and deciding what countermeasures to take in reducing risk.
-
Risk strategies
- Avoid
- Mitigate
- Transfers
- Accept
-
Developing a risk management plan
- Establish the purpose of the risk management plan
- Assign responsibility for the risk management plan
-
COBIT 5 APO12 Manage Risk practices
- Collect data
- Analyze risk
- Maintain a risk profile
- Articulate risk
- Define a risk management action portfolio
- Respond to risk
-
What is an impact as it relates to threats?
The result of a threat agent exploiting a vulnerability
-
Risk calculation
Probability of occurrence X Magnitude to impact
-
Qualitative Analysis Method - Risk management
Use words or descriptive rankings to describe the impacts or likelihood (high, med, low)
-
Semi-quantitative Analysis Methods - Risk management
The descriptive rankings are associated with a numeric scale
-
Quantitative Analysis Methods - Risk Management
Use Numeric values to describe the likelihood and impacts of risk
-
Service Level Agreement (SLA)
Stipulate and commit a vendor to a required level of service and support options
-
Risks and audit concerns with globalization
- Legal, regulatory and tax issues
- Continuity of operations
- Personnel
- Telecommunication issues
- Cross-border and cross-cultural issues
-
Statement on Standards for Attestation Engagements (SSAE) 16 / SOC 1 Reports
Focus on the controls at a service organization that are likely to be relevant to an audit of a user entity's financial statements.
-
Infrastructure as a Service (IaaS)
Capability to provision processing, storage, networks, and other fundamental computing resources
-
Platform as a Service (PaaS)
Capability to deploy onto the cloud infrastructure customer-created or acquired applications created using programming languages and tools supported by the provider
-
Software as a Service (SaaS)
Capability to use the provider's applications running on cloud infrastructure (web interface)
-
Private Cloud
- Operated solely for an org
- Min risk, may not scale
-
Community cloud
- Shared by several orgs, specific community
- min risk, may not scale
- Data may be stored w/ competitor data
-
Public cloud
- Made available to the general public or large industry group
- Min risk, may not scale
- Data may be stored w/ competitor data
- Data may be stored in unknown location
- Data may be hard to retrieve
-
Hybrid cloud
- Composition of two or more clouds that remain unique entities but are bound by technology
- Aggregate risk of merging diff deployment models
-
Cloud Computing characteristics
- On-demand self-service
- Broad network access
- Resource pooling
- Rapid elasticity
- Measured service
-
PDCA Continuous improvement methodology
- Plan - est object and processes
- Do - implement
- Check - study results
- Act - corrective action
-
IT Business Score Card (BSC)
- Measures:
- customer/user satisfaction
- Internal (operational) process
- Ability to innovate
-
Key Performance Indicator (KPI)
Measure that determines how well the process is performing in enabling the goal to be reached
-
Benchmarking
systematic approach to comparing enterprise performance against peers and competitors in an effort to learn the best ways of conducting business
-
Business Process Re-engineering
Thorough analysis and significant redesign of business processes and management systems to establish a better performing structure
-
Duties that should be segregated
- Custody of assets
- Authorization
- Recording transactions
-
Compensating controls for lack of segregation of duties
- Audit trails
- Reconciliation
- Exception reporting
- Transaction logs
- Supervisory reviews
- Independent reviews
-
Key Difference between the IT Strategy Committee and IT Steering Committee
The IT Strategy Committee is more high level and the IT Steering Committee is focused on day to day operations and projects
-
Software Escrow
Legal agreement btw a software vendor and a customer, to guarantee acess to source code. In the event the vendor goes out of business.
|
|