CISA Section 2

  1. Corporate Governance
    The system by which business corporations are directed and controlled. Set of responsibilities used by management to provide strategic direction.
  2. Governance of Enterprise IT (GEIT)
    Stewardship of IT resources on behalf of the stakeholders. Directs IT to ensure that IT performance meets the objectives of aligning IT with the enterprise's objectives.
  3. Aspects of GEIT that need to be assessed by the IS auditor
    • How enterprise governance and GEIT are aligned
    • Alignment of the IS function w/ the org's mission, vision, values, obj and strategies
    • Achievement of performance obj
    • Legal, environmental, etc requirements
    • Control environment of org
    • IR w/in the IS env
    • IT invest/expenditure
  4. Elements of Balanced Score Card (BSC)
    • Mission
    • Strategies
    • Measure
    • Sources
  5. Basic outcomes of effective security governance
    • Strategic alignment
    • Risk Management Compliance
    • Value Delivery
  6. Enterprise Architecture (EA)
    Documenting an org's IT assets in a structured manner to facilitate understanding, management and planning for IT investments.
  7. COBIT Process Assessment Model (PAM)
    Ref for capability assessments of an organizations current IT processes. Defines the min set of requirements for conducting an assessment to ensure that outputs are consistent, repeatable and representative of the processes assessed.
  8. IDEAL Model
    Software process improvement (SPI) program model. Guide enterprises in planning and implementing effective software process improvement programs.
  9. Five phases of the IDEAL model
    • Initiating 
    • Diagnosing
    • Establishing
    • Acting
    • Learning 
    • (IDEAL)
  10. Key governance practices in the COBIT 5 EDM02 Ensure Benefits Delivery Process
    • Evaluate value optimization
    • Direct value opt
    • Monitor value opt
  11. Advantage of IT Portfolio Management over BSC
    Agility in adjusting investments. BSC doesn't have oversight and control of budgets in goal.
  12. Risk Management
    Process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives and deciding what countermeasures to take in reducing risk.
  13. Risk strategies
    • Avoid
    • Mitigate 
    • Transfers
    • Accept
  14. Developing a risk management plan
    • Establish the purpose of the risk management plan
    • Assign responsibility for the risk management plan
  15. COBIT 5 APO12 Manage Risk practices
    • Collect data
    • Analyze risk
    • Maintain a risk profile
    • Articulate risk
    • Define a risk management action portfolio
    • Respond to risk
  16. What is an impact as it relates to threats?
    The result of a threat agent exploiting a vulnerability
  17. Risk calculation
    Probability of occurrence X Magnitude to impact
  18. Qualitative Analysis Method - Risk management
    Use words or descriptive rankings to describe the impacts or likelihood (high, med, low)
  19. Semi-quantitative Analysis Methods - Risk management
    The descriptive rankings are associated with a numeric scale
  20. Quantitative Analysis Methods - Risk Management
    Use Numeric values to describe the likelihood and impacts of risk
  21. Service Level Agreement (SLA)
    Stipulate and commit a vendor to a required level of service and support options
  22. Risks and audit concerns with globalization
    • Legal, regulatory and tax issues
    • Continuity of operations 
    • Personnel
    • Telecommunication issues
    • Cross-border and cross-cultural issues
  23. Statement on Standards for Attestation Engagements (SSAE) 16 / SOC 1 Reports
    Focus on the controls at a service organization that are likely to be relevant to an audit of a user entity's financial statements.
  24. Infrastructure as a Service (IaaS)
    Capability to provision processing, storage, networks, and other fundamental computing resources
  25. Platform as a Service (PaaS)
    Capability to deploy onto the cloud infrastructure customer-created or acquired applications created using programming languages and tools supported by the provider
  26. Software as a Service (SaaS)
    Capability to use the provider's applications running on cloud infrastructure (web interface)
  27. Private Cloud
    • Operated solely for an org
    • Min risk, may not scale
  28. Community cloud
    • Shared by several orgs, specific community
    • min risk, may not scale
    • Data may be stored w/ competitor data
  29. Public cloud
    • Made available to the general public or large industry group
    • Min risk, may not scale
    • Data may be stored w/ competitor data
    • Data may be stored in unknown location
    • Data may be hard to retrieve
  30. Hybrid cloud
    • Composition of two or more clouds that remain unique entities but are bound by technology 
    • Aggregate risk of merging diff deployment models
  31. Cloud Computing characteristics
    • On-demand self-service
    • Broad network access
    • Resource pooling
    • Rapid elasticity
    • Measured service
  32. PDCA Continuous improvement methodology
    • Plan - est object and processes
    • Do - implement 
    • Check - study results 
    • Act - corrective action
  33. IT Business Score Card (BSC)
    • Measures:
    • customer/user satisfaction
    • Internal (operational) process
    • Ability to innovate
  34. Key Performance Indicator (KPI)
    Measure that determines how well the process is performing in enabling the goal to be reached
  35. Benchmarking
    systematic approach to comparing enterprise performance against peers and competitors in an effort to learn the best ways of conducting business
  36. Business Process Re-engineering
    Thorough analysis and significant redesign of business processes and management systems to establish a better performing structure
  37. Duties that should be segregated
    • Custody of assets
    • Authorization 
    • Recording transactions
  38. Compensating controls for lack of segregation of duties
    • Audit trails
    • Reconciliation
    • Exception reporting
    • Transaction logs
    • Supervisory reviews
    • Independent reviews
  39. Key Difference between the IT Strategy Committee and IT Steering Committee
    The IT Strategy Committee is more high level and the IT Steering Committee is focused on day to day operations and projects
  40. Software Escrow
    Legal agreement btw a software vendor and a customer, to guarantee acess to source code. In the event the vendor goes out of business.
Author
Anonymous
ID
285655
Card Set
CISA Section 2
Description
Governance and Management of IT
Updated