CISA++ - Chapter 2 Flashcards
Why is an IT governance framework important?
?
Manages IT risks
Improves decision-making
Enhances accountability
Facilitates compliance
Aligns IT with business goals: Ensures technology supports the company’s strategic objectives.
Why is an IT governance framework important?
Aligns IT with business goals
?
Improves decision-making
Enhances accountability
Facilitates compliance
Manages IT risks: Identifies and addresses potential threats to IT systems.
Why is an IT governance framework important?
Aligns IT with business goals
Manages IT risks
?
Enhances accountability
Facilitates compliance
Improves decision-making: Provides a structured approach to IT investments and resource allocation.
Why is an IT governance framework important?
Aligns IT with business goals
Manages IT risks
Improves decision-making
?
Facilitates compliance
Enhances accountability: Defines roles and responsibilities for IT management.
Why is an IT governance framework important?
Aligns IT with business goals
Manages IT risks
Improves decision-making
Enhances accountability
?
Facilitates compliance: Helps meet industry regulations and standards.
What is an IT governance framework?
System that enables the stewardship of IT resources and keeps the organization on track.
Think of a governor of a state :D
What is IT Risk Management?
The process of identifying, assessing, and controlling risks to an organization’s information technology (IT) infrastructure.
IT Risk Management is important in 3 major areas:
Protecting critical assets
Supporting business objectives
?
Compliance
What is an IS auditor’s role when it comes to an IT governance framework and IT risk management practices?
Provide recommendations to senior management and provide qualitative assessments on improving GEIT initiatives.
Gotta talk to the big bosses!
Why is IT Risk Management important with regards to critical assets?
It safeguards critical assets like sensitive data, systems, and networks from threats like cyberattacks, natural disasters, and human error.
Why is IT Risk Management important with regards to business objectives?
It supports business objectives by ensuring IT aligns with business goals while mitigating risks that could hinder operations.
Why is IT Risk Management important with regards to compliance?
Compliance: Helps organizations adhere to industry regulations and standards.
IT Risk Management is important in 3 major areas:
?
Supporting business objectives
Compliance
Protecting critical assets
IT Risk Management is important in 3 major areas:
Protecting critical assets
?
Compliance
Supporting business objectives
How should an IS auditor handle undefined responsibilities regarding IT management and governance roles?
- Document the Finding
- ?
- Recommend a solution
- Follow-up
Assess the Risk: Determine the level of risk associated with the undefined roles. This includes evaluating the potential for errors, inefficiencies, or security breaches.
How should an IS auditor handle undefined responsibilities regarding IT management and governance roles?
- ?
- Assess the Risk
- Recommend a solution
- Follow-up
Document the Finding: Clearly outline the specific roles and responsibilities that are undefined and the potential impact on IT governance and operations.
How should an IS auditor handle undefined responsibilities regarding IT management and governance roles?
- Document the Finding
- Assess the Risk
- ?
- Follow-up
Recommend a Solution: Propose clear recommendations to address the issue.
How should an IS auditor handle undefined responsibilities regarding IT management and governance roles?
- Document the Finding
- Assess the Risk
- Recommend a solution
- ?
Follow-up: Monitor the organization’s progress in addressing the issue and provide additional guidance if necessary.
What does an IT manager do?
IT Manager: Oversees day-to-day IT operations, manages IT staff, and ensures IT services are delivered efficiently.
What does a Network Engineer do?
Network Engineer: Manages and maintains the organization’s network infrastructure.
What does a System Administrator do?
System Administrator: Manages and supports computer systems and servers.
What does a Database Administrator (DBA) do?
Database Administrator (DBA): Manages and maintains databases.
What does a Software Developer do?
Software Developer: Designs, develops, and tests software applications.
What does a Web Developer do?
Web Developer: Creates and maintains websites and web applications.
What does a Systems Analyst do?
Systems Analyst: Analyzes business requirements and designs IT solutions.
What does a IT Project Manager do?
IT Project Manager: Plans, executes, and closes IT projects.
What does a Information Security Officer (ISO) do?
Information Security Officer (ISO): Develops and implements information security policies and procedures.
What does a Security Analyst do?
Security Analyst: Monitors for security threats and incidents.
Why is it concerning for individuals to serve in multiple roles under the IT function?
Some regulations require clear segregation of duties to prevent fraud or errors.
Which are the most concerning roles for one individual to concurrently have under the IT function and why?
The most concerning role overlap in IT is between security and development functions. This combination can lead to vulnerabilities and exploits that compromise system integrity.
What are the responsibilities of the IT Steering Committee?
An IT Steering Committee (ITSC) is responsible for providing strategic direction, oversight, and governance for an organization’s IT initiatives.
What does the IT steering committee’s responsibility of Vendor Management cover?
Overseeing relationships with IT vendors and service providers.
What does the IT steering committees responsibility of Strategic Alignment cover?
Ensuring IT initiatives support overall business objectives.
What does the IT steering committee responsibility of Resource Allocation cover?
Prioritizing IT projects and allocating budgets accordingly.
What does the ITSC’s responsibility of Risk Management cover?
Identifying, assessing, and mitigating IT-related risks.
What does the ITSC’s responsibility of Performance Measurement cover?
Establishing key performance indicators (KPIs) to measure IT performance.
What does the ITSC’s responsibility of Decision Making cover?
Approving major IT projects and initiatives.
What does the ITSC’s responsibility of Communication cover?
Communicating IT plans and progress to senior management and the board.
Why is the IT Steering Committee the best group to determine an enterprise’s risk appetite?
ACTUALLY, it’s not the ITSC - it’s the Board of Directors (BoD) who is responsible for establishing the risk appetite.
The IT Steering Committee’s role is to align IT risks with the overall enterprise risk appetite and develop strategies to manage IT-specific risks.
tl;dr:
BoD says what the risk appetite is
ITSC says how to align IT risks with the appetite
How does an IS auditor perform a risk assessment for information assets?
Identify Information Assets
Threat Identification
Vulnerability Assessment
Impact Assessment
Risk Calculation
Risk Prioritization
Risk Response
How does an IS auditor perform a risk assessment for information assets?
?
Threat Identification
Vulnerability Assessment
Impact Assessment
Risk Calculation
Risk Prioritization
Risk Response
Identify Information Assets: Determine the organization’s critical assets, including data, systems, and networks.
How does an IS auditor perform a risk assessment for information assets?
Identify Information Assets
?
Vulnerability Assessment
Impact Assessment
Risk Calculation
Risk Prioritization
Risk Response
Threat Identification: Identify potential threats to these assets, such as natural disasters, cyberattacks, human error, and unauthorized access.
How does an IS auditor perform a risk assessment for information assets?
Identify Information Assets
Threat Identification
?
Impact Assessment
Risk Calculation
Risk Prioritization
Risk Response
Vulnerability Assessment: Evaluate the weaknesses or gaps in the organization’s security controls that could be exploited by threats.
How does an IS auditor perform a risk assessment for information assets?
Identify Information Assets
Threat Identification
Vulnerability Assessment
?
Risk Calculation
Risk Prioritization
Risk Response
Impact Assessment: Determine the potential consequences of each identified risk, including financial, reputational, and operational impacts.
How does an IS auditor perform a risk assessment for information assets?
Identify Information Assets
Threat Identification
Vulnerability Assessment
Impact Assessment
?
Risk Prioritization
Risk Response
Risk Calculation: Combine the likelihood of a threat occurring with the potential impact to calculate the overall risk level.
How does an IS auditor perform a risk assessment for information assets?
Identify Information Assets
Threat Identification
Vulnerability Assessment
Impact Assessment
Risk Calculation
?
Risk Response
Risk Prioritization: Rank risks based on their severity and likelihood to inform resource allocation and mitigation efforts.
How does an IS auditor perform a risk assessment for information assets?
Identify Information Assets
Threat Identification
Vulnerability Assessment
Impact Assessment
Risk Calculation
Risk Prioritization
?
Risk Response: Develop strategies to mitigate, transfer, accept, or avoid identified risks.
Why is a risk assessment the primary focus for an IS auditor when determining the appropriate level of protection for an information asset?
Well-conducted risk assessment helps organizations safeguard their valuable information assets and minimize potential losses.
What is Inherent Risk?
Inherent Risk: The potential for loss or damage in the absence of any controls.
What is Residual Risk?
Residual Risk: The risk that remains after controls have been implemented.
What is Control Risk?
Control Risk: The risk that internal controls will fail to prevent or detect and correct misstatements on a timely basis.
What is Detection Risk?
Detection Risk: The risk that the auditor will fail to detect a material misstatement.
What is Business Risk?
Business Risk: The potential for an organization to suffer loss or harm due to uncertain events or conditions.
What is an IS auditor’s high-level role for an organization that’s undergoing a business process reengineering (BPR) effort?
Ensures that the new processes are secure, efficient, and aligned with the organization’s overall objectives.
The IS auditor covers the following responsibilities during a BPR (business process reengineering) effort:
?
Control evaluation
Security evaluation
Risk assessment: Identifying potential IT-related risks associated with the new processes.
The IS auditor covers the following responsibilities during a BPR (business process reengineering) effort:
Risk assessment
?
Security evaluation
Control evaluation: Assessing the adequacy of existing controls and recommending improvements.
The IS auditor covers the following responsibilities during a BPR (business process reengineering) effort:
Risk assessment
Control evaluation
?
Security evaluation: Ensuring that the new processes maintain an appropriate level of security.
What are the main goals of a BPR (business process reengineering) effort?
?
Enhance customer satisfaction
Gain a competitive advantage
Improve efficiency: Streamline processes to reduce costs and increase productivity.
What are the main goals of a BPR (business process reengineering) effort?
Improve efficiency
?
Gain a competitive advantage
Enhance customer satisfaction: Deliver products or services that better meet customer needs.
What are the main goals of a BPR (business process reengineering) effort?
Improve efficiency
Enhance customer satisfaction
?
Gain a competitive advantage: Differentiate the organization from competitors.
Why do businesses go through a BPR (business process reengineering) effort?
?
There’s a need for a major overhaul
New technologies offer opportunities
Market conditions change
Mergers or acquisitions occur
They face significant challenges: This could include declining profits, increased competition, or outdated processes that are hindering efficiency.
Why do businesses go through a BPR (business process reengineering) effort?
They face significant challenges
?
New technologies offer opportunities
Market conditions change
Mergers or acquisitions occur
There’s a need for a major overhaul: BPR is often considered when incremental improvements are not enough to address fundamental issues.
Why do businesses go through a BPR (business process reengineering) effort?
They face significant challenges
There’s a need for a major overhaul
?
Market conditions change
Mergers or acquisitions occur
New technologies offer opportunities: Advances in technology can enable new ways of doing business, making BPR a viable option.
Why do businesses go through a BPR (business process reengineering) effort?
They face significant challenges
There’s a need for a major overhaul
New technologies offer opportunities
?
Mergers or acquisitions occur
Market conditions change: Shifts in customer preferences, industry regulations, or economic factors can necessitate a rethinking of business processes.
Why do businesses go through a BPR (business process reengineering) effort?
They face significant challenges
There’s a need for a major overhaul
New technologies offer opportunities
Market conditions change
?
Mergers or acquisitions occur: Integrating different business cultures and operations can require a significant overhaul of processes.
How does an IS auditor help an organization achieve a BPR (business process reengineering) effort?
By ensuring that the new processes are secure, efficient, and compliant
How should IS auditors work with senior management?
?
Value-Added Services
Strategic Alignment
Proactive Reporting: Providing timely and actionable insights into IT risks and control weaknesses.
How should IS auditors work with senior management?
Proactive Reporting
?
Strategic Alignment
Value-Added Services: Offering recommendations for improvement beyond audit findings.
How should IS auditors work with senior management?
Proactive Reporting
Value-Added Services
?
Strategic Alignment: Demonstrating how audit findings contribute to the organization’s overall goals.
What does it mean for a company’s senior management to accept the risk?
They formally acknowledge the risk and monitor it
What is short-term planning for an IT department and why is it important?
Short-term planning in IT involves setting and achieving specific, achievable goals within a defined timeframe (usually less than a year). It’s about translating long-term IT strategies into actionable steps.
What is an IS auditor’s role during short-term planning for an IT department?
?
Resource Allocation
Risk Mitigation
Focus and Prioritization: Helps IT teams concentrate on immediate tasks and deliverables.
What is an IS auditor’s role during short-term planning for an IT department?
Focus and Prioritization
?
Risk Mitigation
Resource Allocation: Optimizes the use of personnel, budget, and technology.
What is an IS auditor’s role during short-term planning for an IT department?
Focus and Prioritization
Resource Allocation
?
Risk Mitigation: Identifies potential challenges and develops contingency plans.
What is a SLA (service level agreement)?
SLA: A broader contract between a service provider and a customer that outlines the expected level of service.
It includes metrics like response time, availability, and performance.
What is an Uptime guarantee?
Uptime guarantee: A specific component of an SLA that promises a certain level of system or network availability. It’s often expressed as a percentage (e.g., 99.99% uptime).
What are the most important considerations for an IS auditor when working with an organization that’s considering working with a third-party vendor?
IS auditor should require third party audit reports
What is an uptime guarantee in relation to service level agreements?
An uptime guarantee is a quantifiable commitment within a broader service-level agreement. It ensures that the service provider is held accountable for system availability and performance.
What is the role of an IS auditor when an organization is determining financial viability of working with a third-party vendor?
?
Identifying red flags
Evaluating business continuity plans
Assessing financial stability: Reviewing the vendor’s financial statements, cash flow, and debt-to-equity ratio to determine its overall financial health.
What is the role of an IS auditor when an organization is determining financial viability of working with a third-party vendor?
Assessing financial stability
?
Evaluating business continuity plans
Identifying red flags: Looking for signs of financial distress, such as declining revenue, increasing debt, or negative cash flow.
What is the role of an IS auditor when an organization is determining financial viability of working with a third-party vendor?
Assessing financial stability
Identifying red flags
?
Evaluating business continuity plans: Assessing the vendor’s ability to recover from financial setbacks.
What should an IS auditor do when the organization they are auditing is considering outsourcing work to a third-party organization?
?
Analyze the best service provider
Ensure risks are mitigated
Inspect the SLA
Assess the sourcing strategy
What should an IS auditor do when the organization they are auditing is considering outsourcing work to a third-party organization?
Assess the sourcing strategy
?
Ensure risks are mitigated
Inspect the SLA
Analyze the best service provider
What should an IS auditor do when the organization they are auditing is considering outsourcing work to a third-party organization?
Assess the sourcing strategy
Analyze the best service provider
?
Inspect the SLA
Ensure risks are mitigated
What should an IS auditor do when the organization they are auditing is considering outsourcing work to a third-party organization?
Assess the sourcing strategy
Analyze the best service provider
Ensure risks are mitigated
?
Inspect the SLA
