Domain 2 - Governance & Mngmt Of IT Flashcards
What does IT governance do
Ensures optimal use of IT resources and thereby supporting the business strategy.
Who must be involved in IT governance
Senior management/stakeholders
Who approves IT security policy
BOD
2 steps in developing a risk management program
1) establish the purpose of the RM program
2) assign responsibility for the RM program
Information security standards committee (ISSC) determines if:
controls & practices are suitable around the operating systems and databases
(Senior management and C-Level executive management)
IT steering committee
Responsible for:
-implementation
-approving project plans & budget
-projects meet requirements
-efficient use of IT resources
-monitors
Enterprise architecture
Defines the structure and operations of an org; ensures technology initiatives are compatible with IT framework
- must include both current and future state outcomes to be complete
Enterprise risk management (ERM) steps
- Asset identification
- Determine the threat/vulnerability
- Evaluation of the impact
- Calculation of risk
- Evaluation of/response to risk
Capability maturity model
Helps determine maturity level of the risk management process; constant improvement; performance based
Maturity models identify -
Gaps between current and desired state
IT Balance Scorecard (BSC)
- objective is to optimize performance
-KPIs are required
-measures success of IT investment & strategy
First 2 steps in reviewing the software quality management process
- Review standards/policies adopted by org
- Review controls in place
Recovery point objective (RPO)
Determined based in acceptable data loss in the case of disruption of operations; defined point in time
Who is essential in identifying critical business functions, recovery times, and resources needed in a BCP
Process owners
(BIA) business impact analysis
-presented to BOD
-Determines acceptable downtime
-BCP first step is identifying critical business processes and determining priority for recovery
BCP predetermined criteria
Duration of an outage
-BCP should be based on the max time a business can function with disruption before it threatened achievement of organizations objectives
BCP tests - Table top
Involves all or some of crisis team members and is focused more on coordination and communication issues than on technical process details
BCP tests - Functional
Involves mobilization or personnel and resources at various geographic sites. In-deprh
BCP Tests - Full-scale
Involves enterprise wide participation and full involvement of external organizations- plan is actually exercised
Most important consideration when reviewing the risk management process
IT risk is presented in business terms
Disaster recovery plan (DRP) addresses the:
Technological aspect of business continuity planning (BCP)
-focuses on IT systems and operations
The first step in preparing a DRP
Perform a business impact analysis (BIA)
-BIA identifies critical business processes and supporting systems
Once the BIA is completed, the next phase in BCP development is
Identify various recovery strategies and select most appropriate one
Pilot test
Used for implementing a new process or technology (not appropriate for a BCP)
Paper test (desk check)
Walk through part of or entire BCP
Unit test
Used to test new software components (not app for BCP)
System test
Used to test a new IT system (not app for BCP)
An effective BCP involves:
All user departments
What will ensure compliance to security policies from an outsourced service provider?
An indemnity clause (included in service provider contract)
CMM ensures -
A stable software development process
