Академический Документы
Профессиональный Документы
Культура Документы
UP-ITTC
October. 2010
1
U
Summary
Information system Audit (IS Audit), is needed long experience and lot of
skill and knowledge about both Audit and Information Technology.
Because of this, This training course and text book include summary of
knowledge and skill that IS Auditor needs and especially detail skill and
knowledge about IS Audit processes and methods for IT engineers who
want to become IS Auditor or conduct audit tasks.
Acknowledgments
Content of this training and text book is based on Certified Information
Systems Auditor (CISA) and Japan Information Technology Engineers
Examination- .System Auditor Examination
Content of this training and text book is copyrighted to JICA (Japan
International Cooperation Agency) and UP-ITTC(UP Information
Technology Training Center), and developed by Go Ota, PADECO Co.,
Ltd. and UP-ITTC
Expected Trainees
IS Audit is needed wide area of IT skill and knowledge, the training
expects the trainees have ,at least, passed FE exam or have had same
level of IT experience (at least 5 five years, desirable more than 10
years) and knowledge.
2
U
Chapter 0.
Introduction
What is IS Audit
3
U
What is Audit? What is IS Audit?
“An official examination of accounts to see that they are
in order” – The Oxford Dictionary
An INDEPENDENT assessment of / opinion on how well
(badly) the financial statements were prepared
IS audit:
- A review of the controls within an entity's technology
infrastructure
- Official examination of IT related processes to see that
they are in order
4
U
What is IS Audit Activity?
Difference Between Audit and Evaluation
Independent
Audit
Policy and Strategy
Evaluation Audit
Organization and
Regulation/Standard Activity of Independent Activity
Management
Business Activities Process and Result Norm
Doing right Managing right
Business Performance Effeteness and
Infrastructure Efficiency
Next action is
Management improvement
R R
SOX
Financial
Internal Financial Financial Financial
Audit
Control Statement Audit Audit Report
(Result)
Operation
Audit Internal Control Internal Control Internal Control
(Process) Statement Audit Audit Report
Integrated
Effectiveness and efficiency Assurance of Compliance Audit
of Operation Financial Statement with lows
Control Environment
Risk Management
Control Activity
Activities
Information and
Communication
Monitoring Organization
Enterprise-level, Division or
subsidiary and Business unit
IT Control
13
U
Case of ITGC : Project Management
User
Requirements Project
System Project/ Management
Requirements Development Division
Regulation
Global (Basic)
Design
IS Audit
Detail •Is the development
Design
Project Manager
method appropriate?
Programming •Does the selection of
system architecture have
Component appropriate reason?
Test Project •Was the cost estimated
Document by right procedure and
Integration
Test method?
• Does the Integrated
System testing use appropriate
Test
data?
Acceptance •Does the project follow
Test the regulation
14
U
Who becomes an Auditor?
Certification
CISA (Certified Information Systems Auditor) by
(Account) ISACA (Information Systems Audit and Control
Auditor Association) From 1978
•More than 75,000 professionals in nearly 160
With experiences of countries
• Accounting •for both (Account) Auditor and IT Specialist
• Audit
Information
IT Specialist System Audit
15
U
Target of IS Audit and IS Auditor's Skill and Knowledge
16
U
Map of IS Auditor's kill and knowledge
IT Technical IT Management IT Governance Audit Process &
Method
D3—Systems and Infrastructure Lifecycle D2—IT D1—IS
Management Governance Audit
•Development method Process
•APP control •IT Strategy
•Software Testing •Project Management •Organization Mng. •Process
•System/APP Architecture •SQM •Risk Management •Method
•E-commerce/AP knowledge
•Communic
D4—IT Service Delivery and Support ation
•Service Delivery •Related
•H/W, OS, Middle ware
•Service Support standards
•Network & DB
•Operation & Maintenance •Service Strategy
D5—Protection of Information Assets
•Network security •Logical Security •Security Policy & •IT Security
•Security Technology •Physical Security Strategy Audit
19
U
Overview of D1—IS Audit Process Task & Process
Example:
Small audit for Logical Access Control
Summary of Audit Process ( Control for user and program to access
data, program and application)
21
U
Overview of D3—Systems and Infrastructure Lifecycle
Management
To provide assurance that the management practices for the
development/acquisition, testing, implementation, maintenance, and
disposal of systems and infrastructure will meet the organization’s
objectives.
Examples of target
•Application development process and regulation including needs
analysis, including cost estimation and
•Quality Management
•Validation of computer & system architecture for Application
•Application control
•Management of outsourcing and vender
22
U
Overview of D4—IT Service Delivery and Support
To provide assurance that the IT service management practices will
ensure the delivery of the level of services required to meet the
organization’s objectives.
Example of Target
• Service level Agreement
• Validation of Hardware and software
• Validation of network infrastructure
• Monitoring of Information System/Infrastructure
• Capacity and Configuration Management
• Configuration Management of software
• Regulation of operation and maintenance
• Help (Service) Desk and Incident/Problem management
23
U
Overview of D5—Protection of Information Assets
To provide assurance that the security architecture (policies,
standards, procedures, and controls) ensures the confidentiality,
integrity, and availability of information assets.
Examples of Target
•Policy and regulation of IT Security including risk management
•Validation of logical access control such as password and
authentication
•Validation of physical access control with security technology and
devices
• Validation of security of network infrastructure
• Validation of encryption system
• Validation of environmental control against fire, power break down
and …
24
U
Overview of D6—Business Continuity and Disaster
Recovery
To provide assurance that in the event of a disruption the business
continuity and disaster recovery processes will ensure the timely
resumption of IT services while minimizing the business impact
Examples of Target
•Business Impact Analysis (BIA) and Disaster Recovery Planning
(DRP)
•Validation of backup and recovery against disasters
•Validation of means for continuity against disasters
25
U
Related important lows, regulations and guidelines
1 2 3 4 5 6
Standards, Guidelines, and Tools and Techniques for X X X X X X
Audit/Assurance and Control Professionals by ISACA
Public Company Accounting Reform and Investor Protection X X X X
Act of 2002 (SOX)
The Control Objectives for Information and related Technology X X X X X X
(COBIT) by ISACA
ISO/IEC 27002: Information technology - Security techniques - X X X X X X
Code of practice for information security management
Information Technology Infrastructure Library (ITIL) X X X X X
Val IT by IT Governance Institute (ITGI) X X
Project Management Body of Knowledge (PMBOK) X X X
COSO (The Committee of Sponsoring Organizations of the X X X
Treadway Commission) Control Framework
CMMI (Capability Maturity Model®Integration) X X X
ISO/IEC 9126 & 25000 Software engineering — Product X X X x X
quality is an international standard for the evaluation of
software quality.
26
U
Where does an IS auditor work?
Audit Company
Business Activities
Business
IS Consultant
Infrastructure
27
U
New movement of IS Audit : Security
IT Technical IT Management IT Governance Audit Process &
Method
D3—Systems and Infrastructure Lifecycle D1—IS
Management Audit
D2—IT Process
Governance
28
U
Study style of this lecture
•Checking current your
XX Domain of CISA
knowledge and skill about IT
for IS audit
Quiz (about 20Q)
form CISA exam. •Making an anchor to
understand and memory new
Explanation of
knowledge and skill for IS audit
related knowledge •To find and understand
and skill. viewpoint of an IS auditor.
29
U
Chapter 1.
Domain 3
Systems and Infrastructure Lifecycle
Management
30
U
Overview of Tasks for Domain 3
3.1 Evaluate proposed system development/acquisition to ensure that it meets
the business goals.
3.2 Evaluate the project management framework and project governance
practices to ensure that business objectives are achieved in a cost-effective
manner
3.3 Perform reviews to ensure that a project is progressing in accordance with
project plans and project management regulation.
3.4 Evaluate proposed control mechanisms for systems and/or infrastructure
during specification, development/acquisition, and testing.
3.5 Evaluate the processes by which systems and/or infrastructure are
developed/ acquired and tested to ensure that the deliverables meet the
organization’s objectives.
3.6 Evaluate the readiness of the system and/or infrastructure for
implementation and migration into production.
3.7 Perform post-implementation review and periodic reviews of systems and/or
infrastructure to ensure that they meet the organization’s objectives and are
subject to effective internal control.
3.8 Evaluate the process by which systems and/or infrastructure are maintained
to ensure the continued support of the organization’s objectives and are subject
to effective internal control.
3.9 Evaluate the process by which systems and/or infrastructure are disposed of
to ensure that they comply with the organization’s policies and procedures.
31
U
Overview of skill and knowledge for Domain 3
3.1 benefits management practices
3.2 project governance mechanisms (e.g., steering committee)
3.3 project management practices, tools, and control frameworks
3.4 risk management practices applied to projects
3.5 project success criteria and risks
3.6 configuration, change and release management in relation to development and
maintenance of systems and/or infrastructure
3.7 control objectives and techniques that ensure the completeness, accuracy, validity, and
authorization of transactions and data within IT systems applications
3.8 enterprise architecture related to data, applications, and technology (e.g., distributed
applications, web-based applications, web services, n-tier applications)
3.9 requirements analysis and management practices
3.10 acquisition and contract management processes (e.g., evaluation of vendors,
preparation of contracts, vendor management, escrow)
3.11 system development methodologies and tools and an understanding of their strengths
and weaknesses
3.12 quality assurance methods
3.13 the management of testing processes
3.14 data conversion tools, techniques, and procedures
3.15 system and/or infrastructure disposal procedures
3.16 software and hardware certification and accreditation practices
3.17 post-implementation review objectives and methods
3.18 system migration and infrastructure deployment practices
32
U
IS Audit Small Quiz No.1
Quiz book
33
U
R R
Scope of General
P5: Implementation
System
Development R
P7: Disposal 35
U
Overview of Development Organization
User Management
Quality Assurance
Project Management
36
U
Overview of SLDC Phase 1 and 2
Phase 1: Feasibility Study
To determine the strategic benefit of new information system and analyze
possible resolutions to realize needs
•Define business case
•Define the objectives with supporting evidence.
•List up possible resolutions
•Perform preliminary risk assessment
•Agree upon an initial budget and expected return on investment (ROI)
37
U
Overview of SLDC Phase 3 and 4
Phase 3: Plan solution and system design/ system selection
To plan solution (strategy ) whether make (build) or buy based on the objectives
from phase 1 and specifications from phase 2.
Case of Build
•Make design such as user requirement, basic design, detail design and
operation design. ( start development process)
Case of buy
•Make RFP (Request for Proposal) to select best vendor and product based on
specification in Phase 2.
•Conduct bidding to select the vender and product
38
U
Overview of SLDC Phase 5,6 and 7
Phase 5: Implementation
To install new system and final user acceptance (mainly function testing) test
begins. The system undergoes a process of final certification and approval.
Phase 7: Disposal
Final phase is the proper disposal of equipment and purging data.
39
U
Overview of Development Models (1)
User
Requirements Water-fall model
System
Requirements
Global (Basic)
Design
Component Test
= Debug
Detail
Design
Integration
Test
Programming
System
Test
Test
Acceptance
Test
40
U
Overview of Development Models (2)
b. Agile Development
Function 1 Function 2 Function 3
Design
coding
Test
Design
coding
Test
Design
coding
Test 41
U
Overview of Development models (3)
42
U
Overview of Design and Development methods
Method Summary
SD/SA: Structured Design/ Structured Design (SD) is concerned with the
Structured analysis development of modules and the synthesis of these
modules in a so called "module hierarchy"
OOD: Object-oriented the process of planning a system of interacting objects
design for the purpose of solving a software problem
43
U
Overview of Project Management
PMBOK Knowledge Areas
1. Project Integration Management
2. Project Scope Management
3. Project Time Management
4. Project Cost Management
5. Project Quality Management
6. Project Human Resources Management
7. Project Communications Management
8. Project Risk Management
9. Project Procurement Management
Resources
Performance Performance
Project Managing Triangle 44
U
Overview of Cost estimation and Scheduling
Planning
Parametric modeling
Function point
Lines of code
Bottom-up estimate
Scheduling PERT
Gantt chart
WBS (Work
Breakdown
Structure)
45
U
Overview of Procurement
Define Select
Specification Vender
Make Make
RFP Contract
47
U
Overview of Business APP
APP Summary
E-commerce the buying and selling of products or services over electronic
systems such as the Internet and other computer networks.
E-banking/Online To conduct financial transactions on a secure website
banking operated by their retail or virtual bank, credit union or building
society.
CIM: Computer- Both a method of manufacturing and the name of a
integrated manufacturing computer-automated system in which individual engineering,
production, marketing, and support functions of a
manufacturing enterprise are organized.
DSS: Decision support DSSs serve the management, operations, and planning
system levels of an organization and help to make decisions, which
may be rapidly changing and not easily specified in advance.
SCMS: Supply chain Supply chain transactions, managing supplier relationships
management software and controlling associated business processes. it commonly
includes: Customer requirement processing Purchase order
processing, Inventory management, Goods receipt and
Warehouse management, Supplier Management/Sourcing
CRM: Customer Sales force automation, Marketing and Customer Service
relationship management and Support
48
U
Overview of Risk of Business APP
APP Summary of Risk
E-commerce Clear business case, Innovation is so rapid, Certification,
Privacy of customer, High reliability and electric signature
E-banking/Online Innovation is so rapid, Security of authentication, Privacy of
banking customer, High reliability and integration to other system.
CIM: Computer- Big system consisting of many systems and software. Clear
integrated manufacturing feasibility study.
DSS: Decision support Difficulty of define purpose and usage. Not clear of ROI.
system
SCMS: Supply chain Changing workflow and business model.
management software
CRM: Customer Innovation is so rapid, Security of authentication, Privacy of
relationship management customer
49
U
Overview of Technology for Business APP
APP Summary
EDI: Electronic data Structured transmission of data between organizations by electronic
interchange means. It is used to transfer electronic documents or business data
from one computer system to another computer system
Data warehouse To retrieve and analyze data, to extract, transform and load data,
and to manage the data dictionary
Internet-based computing, whereby shared resources, software,
Cloud computing and information are provided to computers and other devices on
demand, like the electricity grid. SaaS
Office suite Office software suite or productivity suite is a collection of programs
intended to be used by knowledge workers, Ex. Google Apps
ERP: Enterprise Integrated computer-based system used to manage internal and
resource planning external resources, including tangible assets, financial resources,
materials, and human resources.
Smart phone Mobile phone that offers more advanced computing ability and
connectivity than a contemporary basic 'feature phone
CTI: Computer technology that allows interactions on a telephone and a computer
telephony integration to be integrated or co-ordinated. As contact channels have
expanded from voice to include email, web, and fax, the definition of
CTI has expanded to include the integration of all customer contact
channels (voice, email, web, fax, etc.) with computer systems. 50
U
Overview of CMMI
51
U
Overview of Development tools (IDE)
Tools Summary
CASE :Computer-aided Set of tools and methods to a software system which is
software engineering meant to result in high-quality, defect-free, and maintainable
software products.
Visual Studio .Net It can be used to develop console and graphical user
interface applications along with Windows Forms applications,
web sites, web applications, and web services in both native
code together with managed code for all platforms supported
by Microsoft Windows, Windows Mobile, Windows CE, .NET
Framework, .NET Compact Framework and Microsoft
Silverlight.
Eclipse It is written primarily in Java and can be used to develop
applications in Java and, by means of various plug-ins, other
languages including C, C++, COBOL, Python, Perl, PHP,
Scala, Scheme and Ruby (including Ruby on Rails
framework)
52
Exsample1: OSS for eclipse (Java)
U
Overview of Actual (Practical) Tools
Test Frame JUnit
54
U
IS Audit Small Quiz No.1 (Answer) (2)
1-8 (A)
If resource allocation is decreased, and increase in quality can be achieved if a delay in
delivery time will be accepted.
1-9 (A)
Cost performance of a project cannot be properly assessed in isolation for schedule
performance.
1-10 (C)
Projects often have a tendency to expand, this expansion often grows to point where the
originally anticipated cost-benefit are diminished. When this occur, the project be
stopped or frozen to allow review of all the cost –benefits and the payback period.
1-11 (C)
A project steering committee is responsible for reviewing the project progress to ensure
that it will deliver the expected result.
1-12(D)
In the case of deviation from the predefined procedure, an IS auditor should first ensure
the procedure followed for acquiring the software is consistent with business objectives
and has been approved by appropriate authorities.
1-13 (B)
Quality plan is essential element of all projects. It is critical that the contracted supplier
be required to produce such test plan.
55
U
IS Audit Small Quiz No.1 (Answer) (3)
1-14 (C)
Choice A,B and D are not risk, but characteristics of a DDS.
1-15 (B)
Once the data are in a warehouse, no modification should be made to them and access
controls should be in place to prevent data modification.
1-16 (C)
Best resolution.
1-17 (C)
When implementing an application software package, incorrect parameter would be the
great risk.
1-18 (C)
The Project portfolio database contains project data such as organization, schedule,
objectives status and cost.
1-19 (D)
Criteria of CMMI show the development organization follows stable and predictable
software process, CMMI doesn’t guarantee quality of each project.
1-20 (B)
A strength of IDE is that it expands the programming resources and aids available.
56
U
IS Audit Small Quiz No.2
Quiz book
57
U
Definition of basic terms related bug, error, ….
Error
Human action that produces incorrect result
Without defect,
Defect Human error occurs
Sometimes,
Bug Fault defect appears failure
Flaw in component or as failure
system to fail to perform
its required function
Preparation Acceptance
User
Requirements Test
Preparation
System System
Requirements Test
Preparation
Detail Component
Design Test
Programming
59
U
Cost of Fixing bugs in Test phases
Cost
reliability
suitability interoperability usability
accuracy security efficiency
compliance maintainability
Dummy Module
Stab Target Module
• Integration Test
Bottom up Method Top down Method
Driver for 2 Target Target
Module1 Module1
63
U
Num
of
Bugs
Open
Close
Days 64
U
Ensample: Useful Metrics
What kind of Metrics Microsoft is using
Project Implementation Program/system
Testing
Cost Progress of
Time implementation
Qualit Expected MTTF (Mean Num. of bugs for build Num. of bugs in each module
y Time to Failure) Type of problem in build Bug density in each module
Expected MTTF (Mean Bug history
Time to Failure) on stress Software reliability growth curve
65
U
Type of Test Organization (Independent Tester)
Development Development Development Group
Group Group
Project Manager
Programmers
Programmer = Developme Test team
Tester Testers nt Team
Progra Testers
mmers
A. No independent B. Independent
Tester Testers within
Group C. Independent Tester Team
within Group
Module 1
Module 1 Module 1 Module 1 Module 1
Module 2
Module 2 Module 2 Module 2 Module 2
Module m
Module m Module n Module n Module n
Module 1
Rollout Schedule Rollout Schedule
Module 2
2. Abrupt Change over 3. Phased Change over
Module n
Rollout Schedule
1. Parallel Change over 67
U
Risk of Operation of Information System
Even if the system of ABC Company doesn't have bugs, there are many risks and failures
Automated E-commerce
transaction System
Operator Customer
without
checking
E-commerce
DB
XYZ
Company Mistake of Throw out Customer
update Error
Transactions reports
master data
Inconsistency Inappropriate
of data procedure for
between error data Criminal
Illegal
companies
access
68
U
Definition of error, failure and risk in Test and Control
Factor Human Error Human action Malice Chang of Environment
that produces incorrect result Disaster, New standard
Test
Defect
Bug Fault
Flaw in component or
system to fail to perform its
required function
Risk A factor that could result in future negative result consequences; usually
expressed as impact and likelihood
Appear Control
preventing from failure
and/or occur
Failure
Failure Deviation of the component or system from its expected delivery,
service or result.
Risk management and Control 69
U
Test and ITAC (Control ) and Audit in context of risk
management
•Test
Activity to get rid of factors to make risks and failures before cut-over
•ITAC (IT Application Control)
Activity, process and means to prevent from risks and failures and/ or to
reduce affect of risks and failures (after cut-over)
70
U
System Development and IT Control
Cut - over
Activity
Changing
Requirement Design & Testing Migration Operation
Analysis Program
Maintenance
Monitoring
Project Management
Operation Management
Management
Control function IT Control
(ITAC)
All items are targets of IS audit 71
U
ITAC
Checking Testing
regulations Checking functions
System logs
Checking working
Records Testing &
Monitoring
Information System
System Audit 74
U
Objectives of Control of Input Management (Control)
Objective Sample of Control Sample of Audit
Organization make a •Regulation including •Checking regulation
regulation of Input procedure, method of documents
management and complies verification and authorization •Inspection of working
with it for input activities record of input activity
Operation of input is •Procedure that to put stamp •All form sheets has stamp
carried based on the on a form sheet after input after input
regulation and assures no •System function to check •Checking no repeated data
repeated nor missing serial No. of input data in a database
Enough means and •System function can detect •Review and Testing the
function realize preventing invalid data input system function
from input error and illegal •Operators can use only •Access log of PC
operation. specific PCs (terminal)
Data access control and •Regulation of access control to •Checking access log for
monitoring work effectively update master data database
Integrity of data is guaranteed •Regulation of checking data range •Checking test record of data
of master data update
Data transfer complies with its •Regulation of data transfer •Checking record of transfer
regulation. data
Data exchange takes •Function of error correction during • Log data of exchange error
appropriate means to prevent data exchange correction.
from illegal access and to keep
security.
Storing , copying and abolishing •Regulation for abolishing report •Checking record of abolishing
data prevent from illegal access documents documents
and keep security
76
U
Objectives of Control of Output Management (Control)
Objective Sample of Control Sample of Audit
Organization make a •Regulation including •Checking regulation
regulation of output procedure, method of documents
management and complies verification and authorization •Inspection of working
with it for output activities record of output
activity
Operation of output is carried •Regulation defines person for •Checking access log
based on the regulation and output procedure for output data
assures no repeated nor
missing
Enough means and function
realize preventing from output
error and illegal operation
Distribution of output is •Regulation of output •Checking distribution
curried based on its regulation. distribution of output report
Storing and abolishing output •Regulation for abolishing •Checking record of
is carried based on the report documents abolishing documents.
regulation
77
U
Technique and Means of Control of Input Management (Control)
Area Description
Date •Good design source document or form
control - Grouping similar input fields
preparati - Providing appropriate code to reduce error
on - Containing appropriate serial No. and cross-reference No.
- Appropriate input filed style to reduce error
- Including Appropriate filed for document authorization
Input •Signature on form or souse document
Authoriza •Online Access Control (Only authorized individual can access specific
tion information)
•Unique password (Don’t share password nor grant password to others)
•Usage of specific terminals or specific area.
•Segregation of duties
Batch •Appropriate batch header form including application name, transaction code,
control preprinted No., identification data,
•Total minatory amount (Verification the total monetary values of items
processed equals the total monetary values of batch documents.
•Total items ( No. of units ordered in the batch and No. of units processed)
•Total num of documents
•Hash totals (Verification of total of Hash value: no meaning in the form, but
preprinted the fixed numbers)
•Reviewing online batching input by manager. 78
U
Technique and Means of Control of Input ( Processing) Management
Area Description
Regulation •Transaction log ( input process and batch process)
and •Documented Regulation
Monitoring •Transmittal log
•Cancellation of source document ( By pouncing with holes or marking to
avoid duplicate entry)
Error •Appropriate error handing
Reporting - Rejecting only transition with error
and - Rejecting the whole batch of transition
Handling - Holding the batch as suspense
- Accepting the batch and flagging error transactions
•Appropriate error collection procedure
- logging of errors
- Timely corrections
- Upstream resubmission
- Approval of correction
- Suspense file
- Error file
- Validity of corrections
79
U
Technique and Means of Control of Processing (Input) Management
Area Description
Data •Sequence check ( to avoid duplicated and missing)
validation •Limit check ( not only input data, but also update of master data)
and Editing •Range check
Procedure •Validity check (Checking whether input data is one of date of the set)
•Reasonableness check (requested number of order)
•Table lookup (validity by using table)
•Key verification ( Validity of no duplicated key)
•Completeness check (Null checking data in specific field)
•Duplication check ( Checking duplication of transaction)
•Logical relation check ( ex. If he has wife, his must be over xx old.)
Process •Manual recalculation
validation •Run to run totals ( Checking values among process ex. Sum of middle
and process and sum of end process)
verification •Limits check of amounts
•Reasonableness of amounts
•Exception reports
•Reconciliation (cross comparison) of file totals
80
U
Technique and Means of Control of Processing Management
Area Description
Data File •Before and after image report ( Difference proves transactions done
Control correctly)
•Maintenance error reporting and handling (Checking and reviewing error
handing by personnel who did not handle)
•Source document retention ( Verification of file and source data)
•Internal and external labeling (labeling on physical removable storage such
as tapes and disk cartridge.
•Version management
•Data file security
•One for one checking ( Verification by comparison between data and source
document)
•Transaction log
•File updating and maintenance authorization
•Parity checking
Output •Logging and storage of negotiable, sensitive and critical forms in secure
delivery place
and •Computer generation of negotiable instrument, forms and signature including
storage intelligent property.
•Appropriate report printing and distribution including electric reporting
- Control of printing spool
- Authentication of printing
- printing in secure and safe room
- Delivery and recipient evidence such as a signature
•Output report retention
•Output error handling
82
U
Overview of Auditing ITAC (Application Controls)
Internal Control
Computer &
Human Computer
Human
85
U
Methods and Targets of Data integrity Testing
•Data integrity testing is set of substantive tests that examines Accuracy,
Completeness, Consistency and Authorization.
•Failure of data integrity is result of failure of input and/ processing. Because
of this, data integrity testing uses similar method and technique of testing
input control.
•Two type of data integrity
- Relational integrity
Targets are each record level and/or items in record. Relational integrity is
enforced by checking data function of input process and
- Reference integrity
Targets are existence relationships between entities in deferent tables of a
database. It is necessary that references (by primary key and foreign key )be
kept consistent in the event of Insert, Delete and Update.
86
U
Methods and Targets of Data integrity Testing in online transition
processing system
Importance of data integrity is known as ACID principal.
•Atomicity
From the user perspective, a transition is either completed or net at all. If an
error or interruption occurred, all changed made up to the point are backed
out.
•Consistency
All integrity conditions in the database are maintained.
•Isolation
Under multi user condition, each transaction is isolated from other transitions.
•Durability
If a transaction has been reported to user as complete, the result of changes
to database survive subsequent hardware or software failures.
87
U
Overviews of Methods and Targets of Test of Application System and
Continuous online Auditing
Real data
Checking input
and Processing Validation and
by audit module verification by
Dump and comparison
Tracing among output
Test data
88
U
Methods and Targets of Test of Application System and Continuous
online Auditing (1)
Method Description Comment
Mapping •To detect code that is not tested. •To Need function to measure
Similar to measuring testing coverage. coverage
Tracing and •To trace specific transaction in real or •To Need skill for tracing or
Tagging simulated system development of tracing
function
Test data /deck •Inputting teat data to real system. The •It doesn’t prove that all the
result is expected. code done.
Base case system •Testing by using test cases of •To Need a lot of time and
evaluation integrated testing effort to conduct the test
Parallel operation •To compare old system and new
system with same data
Parallel Simulation •To check real (live) data by using •To Need development of
simulation program that has same simulation program
process logic as real system
Extended Record •To extract specific data and •When using audit module, to
transaction to audit files. (Manual or Need development of program
automatically with audit module)
89
U
Methods and Targets of Test of Application System and Continuous
online Auditing (2)
90
U
Comparison among methods of Continuous online Auditing
Method Complexity Useful When
System Control Audit Review •Very high •Regular Processing cannot be
File and Embedded Audit interrupted.
Module (SCARF/EAM)
Integrated testing facility (ITF) •High •It is not beneficial to use test data.
Snapshot •Medium •An audit trail is required.
Continuous and Intermittent •Medium •Transactions meeting certain criteria
simulations (CIS) need to be examined.
Audit hooks •Low •Only select transaction or processes
need to be examined.
91
U
Methods and Targets of Observing and testing System development
life cycle controls: Auditing ITGC (1)
Phase/Task Description
Project •Oversight by project committee/board
Management •Risk management and Problem management
•Cost management
•Planning process
•Reporting process to senior manager
•Stakeholder management
•Sign – off and authorization process
Feasibility •Identify and determine the criticality of needs
Study •Determine the reasonability of the chosen solution.
•Determine the justification and benefit of all the cost
Requirement •Identify key stakeholders and verify that they have appropriate
Definition representation in a project team.
•Verify accuracy of requirement document thought interviews with relevant
users
•Determine whether appropriate number of venders can receive the
requirement (some venders can realize a system)
•Verify that project start and cost have been approved proper
management positions/group.
•Review the design to ensure that control specification have been defined.
•Survey and design whether a system needs some embedded audit
92
functions
U
Methods and Targets of Observing and testing System development
life cycle controls: Auditing ITGC (2)
Phase/Task Description
Software •Determine reasonability to quire a solution by reviewing feasibility study
Acquisition •Reviewing RFP to ensure that it contains all necessary information as RFP
Process •Ensure the fairness to select a vender based on RFP
(Procurement) •Review the vendor contract to ensure that it include the items RFP
mentions.
•Ensure the contract is reviewed by legal counsel before it is singed
Detail Design •Review whether appropriate controls of input , processing and output are
and designed.
Development •Ensure validity of specification of screen design, operation and output
format by interviews with main users.
•Review whether appropriate audit function are designed.
•Review the quality assurance result of design activities.
•Review whether design activity follows the regulation appropriately, such as
authorization and user review.
Testing
93
U
Chapter 2.
Domain1:
IS Audit Process
94
U
Overview of Tasks for Domain 1
•1.1 Develop and implement a risk-based IS audit strategy for the organization
in compliance with IS audit standards, guidelines and best practices.
•1.2 Plan specific c audits to ensure that IT and business systems are protected
and controlled.
•1.3 Conduct audits in accordance with IS audit standards, guidelines and best
practices to meet planned audit objectives.
•1.4 Communicate emerging issues, potential risks and audit results to key
stakeholders.
•1.5 Advise on the implementation of risk management and control practices
within the organization, while maintaining independence.
95
U
Overview of skill and knowledge for Domain 1
•1.1 ISACA IS Auditing Standards, Guidelines and Procedures and the Code of
Professional Ethics
•1.2 IS auditing practices and techniques
•1.3 techniques to gather information and preserve evidence (e.g., observation,
inquiry, interview, CAATTs and electronic media)
•1.4 the evidence life cycle (e.g., the collection, protection, chain of custody)
•1.5 control objectives and controls related to IS (e.g., COBIT)
•1.6 risk assessment in an audit context
•1.7 audit planning and management techniques
•1.8 reporting and communication techniques (e.g., facilitation, negotiation and
confl ict resolution)
•1.9 control self-assessment (CSA)
•1.10 continuous audit techniques
96
U
IS Audit Small Quiz No.3
Quiz book
97
U
Type of Audits
Type Description
Financial audits •Purpose is to assess the correctness of an organization’s financial
statement, IT auditors works under Financial suitors and test financial
information integrity and reliability.
Operational •Purpose is to evaluate the internal control structure in a specific process
audits and area, such as application controls and logical security system.
Integrated •Combination of financial audits and operational audits
audits
Administrative •Propose is to evaluate and improve the efficiency of operational
Audits productivity within an organization.
IS Audits •Purpose is to evaluate the internal controls for Information system.
Targets are ITCC. ITGC and ITAC
Specialize •Specialize reviews that examine area such as services performed by
Audits third party. SAS70 (The statement on Auditing standard) developed by
AICPA (American Institute of Certified Public Accountants) is a widely
known.
Forensic Audits •Special audit for discovering , disclosing and following up of frauds and
crimes.
98
U
Overview of IS audit Process
What you will learn in this Chapter
Audit Process
Finding
102
U
Audit Risk
Risk in Audit itself:
Risk that is not detected during an audit process
Check & Test Risk
Compliance
without control: Test
ex. Process is Control
complex
Control failure: Audit
ex. Human
makes mistake Audit failure:
ex. Inadequate
Test
Substantive
Test
103
U
Flow of Audit Process
•Scope with goals and objectives
Audit Charter •Authority of an audit
•Responsibility and actions among stakeholder
Follow-UP
Activity
104
U
Type of Audit Plans
•Usually 3 or 5 year plan
•Define scope and priority based on
Long- or Mid term an audit policy
Audit Plan •Related IT to system development
plan and schedule
Audit Master
Plan
•Define (separate) audits in each
Annual year including a financial audit
Annual
Audit Plan •Define management information
Audit Plan to conduct the audits , such as
Audit cost , schedule and resources
Plan
•Detail planning for each target of
(Separate)
(Separate) an audit
Audit Plan •Define plan of testing method and
Audit Plan
procedure, reporting and follow-up.
105
U
Example: Summary of Audit Plan Separated small Audit Plan for ITAC
No Item Description
1 Objective The payment system is one of important system for financial statement in ABC
company. To evaluate the internal control of the system.
2 Scope •Validity and reliability of automated (Embedded) controls in the system.
•Validity and Coverage of control functions realized by interaction between the
system and human activities.
3 Audit target ABC payment system
4 Audit item •System specification documents &Operation manual
•Input form & screen design (input and search/reference)
•Data & information stored in the system
5 Audit • Auditor Group: xxxx, xxxx
organization • Auditee: Department of business management and Department of accounting
6 Audit •Preliminary survey for risk assessment (17-30 Oct. 2009)
procedure [Method] Interview and questionnaire
and [Survey item] Summary of the payment system and overview Dept. of business
Schedule management and Dept. of accounting
[Point] Current situation and preparation of controls
• Compliance Testing (No.1) (1-15 Nov. 2009)
[Method] Check list, interview and checking the system specification
[Audit item] Automation (Embedded) controls in the system
[Point] Validity and reliability of design of the controls
• Compliance Testing (No.n)
• Substantive testing (No. 1) (1-20 Jan. 2010)
[Method] Comparison between database and printed quotation. Checking
transaction log.
[Point] Testing of result of control functions. 106
U
General idea of Risk Assessment (Evaluation)
Basic element of Evaluating risks
•Impact, Effect
•Probabilities, likelihood
Very Simple Risk Evaluation Table (weighting by Impact & Probability)
Impact Big Medium Small
Probability
Often Fatal Serious Serious
Sometimes Serious Serious Minor
Rare Serious Minor Minor
Perform Testing
Compliance Tests
Perform Substantive
Tests CAAT (Computer
Method of
Statistics Assisted Audit
Techniques
Evidence : Fact
110
U
Review, Interview and observation for gathering Data (1)
Method Description
Reviewing IS •Adequate separation and segregation of duty is a key control.
organization •IS Auditor should be able to review organization structure and assess
structures the level of control they provide.
Reviewing IS •An IT auditor should review whether appropriate policy and procedure
policy and are in place, determine whether personnel understand implemented
procedures policy and procedure, and ensure that policies and procedures are being
followed.
•Periodic review of policies and procedures for appropriateness should
be carried on
Reviewing IS •An IT auditor should understand the existing standards in place in the
standard organization.
Revising •An It auditor should understand functions and controls of the system.
Information •And review whether development activities are following the procedures.
System •And review the enough documents developed and kept integrity.
Documentation
111
U
Review, Interview and observation for gathering Data (1)
Point Description
Preparation of •Preparation of checklist and interview form
interview •Selecting appropriate interviewees
Actual Function •To ensure to observe adequate person who is assigned and authorized
to perform a particular function and is actually is doing job.
Actual process •Performing a walk-through of the process/procedure allows an IT auditor
and procedure to gain evidence of compliance and observe deviations.
Reporting •Reporting relation ship should be observed to ensure assigned
Relationship responsibility and adequate segregation.
Security •Security awareness should be observed to verify an individual's
Awareness understanding and practice of good preventative and detective security
measures.
Related method
•Re-performance
•Walkthroughs
112
U
Examples of measures that should be considered to assess materiality
•Criticality of the business processes supported by the system or operation
•Criticality of the information databases supported by the system or operation
•Number and type of application developed
•Number of users who use the information systems
•Number of managers and directors who work with the information systems
classified by privileges
•Criticality of the network communications supported by the system or operation
•Cost of the system or operation (hardware, software, staff, third-party services,
overheads or a combination of these)
•Potential cost of errors (possibly in terms of lost sales, warranty claims,
irrecoverable development costs, cost of publicity
•required for warnings, rectification costs, health and safety costs, unnecessarily
high costs of production, high wastage, etc.)
•Cost of loss of critical and vital information in terms of money and time to
reproduce
•Effectiveness of countermeasures
•Number of accesses/transactions/inquiries processed per period
•Nature, timing and extent of reports prepared and files maintained
•Nature and quantities of materials handled (e.g., where inventory movements are
recorded without values)
•Service level agreement requirements and cost of potential penalties
•Penalties for failure to comply with legal, regulatory and contractual requirements
•Penalties for failure to comply with public health and safety requirements
113
U
Statistics for IS Audit
If Auditor detected Number of Input errors of order form is 2 during
Substantive testing, Could the Audited think that the internal control
is almost good and work?
Some of Input
forms
SAMPLE
114
U
Sampling
Normal distribution is commonly encountered in
practice, and is used throughout statistics,
natural sciences, and social sciences as a
simple model for complex phenomena. For
example, the observational error in an
experiment is usually assumed to follow a
normal distribution, and the propagation of
uncertainty is computed using this assumption.
SAMPLE
115
U
Factor of Selecting Sample
feature of population
Accuracy of sample
defined by an auditor
Size (Requested) Similarity of features
among population and sample
= (Requested) Confident Coefficient
Distribution
Acceptable range
= Precision
(Expected) Error rate
NG OK
Method of Selection
•(See the previous slide) Objective method to
Statistical Sampling determine sample size and selection criteria
117
U
Type of Sampling (1)
Target Data
Attribute sampling
Variable sampling
Go to both website
120
U
Overview of function of GAS
System A
Log files Transaction Business Master data
Data Data
System B
Log files Transaction Business Master data
Data Data
•Generate
Test Data
•Extract and Check
Log files •Extract and •Making Reports
Test data Audit data
sampling data •Compare and Statistic Analysis
Calculate
GAS
121
U
CAAT Considerations for installation and usage
• Ease of use, both for existing and future audit staff
• Training requirements
• Complexity of coding and maintenance
• Flexibility of uses
• Installation requirements
• Processing efficiencies
• Effort required to bring source data into CAAT
• Documentations well-referenced to audit program
• Clearly identify audit procedures and objectives
• Request for read-only access to production data
• Data manipulation should be done to copies of production files in controlled
environment
• Reliability of software
• Confidential of the data being proceeded
122
U
Type of Evidence
Tow primary Type
• Direct Evidence
Existence of fact without inference or presumption.
• Indirect Evidence
Hypothesis without direct evidence to make a claim
Examples of Evidence
• Business evidence including a business record of transaction, receipts,
invoices, and logs
• Data extraction which mines details from data files by CAAT
• Auditee claim in oral or written documents
• Analysis of plans, polices, procedures and workflow.
• Result of compliance and substantive tests
• Auditor’s observation
123
U
124
U
Content of Reporting
Content Description
Introduction •Audit objectives
•Limitation of audit and a scope
•Period of Audit coverage
•Genera statement on nature and extent of audit process
Overall •Adequacy of the controls and or procedures examined
conclusion and •The actual potential risk identified
opinion
Detailed and •The controls and procedures examined are adequate or in adequate.
important audit •Specific finding based on viewpoint of both audit committee and
finding and organization
recommendation •Recommendation for adding and/or modifying controls, procedures
and organization.
A variety of •All the finding and recommendations. Some are important, others are
finding trivial.
125
U
Example Report: summary of RCM (Risk and Control Matrix)
N Type Risk Control and Procedure Audit Procedure Result &
o
comment
Covering Missing Sending e-mail when •Program specification •Good
all invoice by EDI •Procedure Reviewing the list
payment EDI and function to make the •Log files is not defined in
transaction list of e-mail •Working record the procedure
Error Function of error •Program specification •Excellent
transition transition •Error transition log work well
•Invoices
Regulation of correct •Procedure •Good
error transition •Working record for Need more detail
correcting error correction method
Correctnes Input Appropriate Editing •Program specification Good
s of error (Checking function) •Record of error input • some filed
payment •Observation of input needed more
date activities checking
functions
Appropriate input form •Checking input form •Fair
(printed) •Record of error input Customer
•Observation of input sometimes
activities mistakes
Cross checking to order •Procedure •None (Very poor)
transition •Program specification
126
U
Presenting and Communicating Audit Results
127
U
Continuous Audit Approach
• To improve audit efficiency by making greater use of automated tools
• Collect evidence on system reliability while normal processing takes place
• Monitor operations on continuous basis
• Gather selective audit evidence; if not serious, action later
• Cut down needless paperwork
• May report directly through computer on findings
• Especially useful when no paper audit trail
• No disruption to daily operations
• Time lag between misuse and detection is reduced
• Enhance confidence in system’s reliability
128
Control Self-Assessment (CSA)
• Management and/work teams are directly involved in checking
effectiveness of existing controls
• IS auditor act as control expert and assessment facilitator
• Simple questionnaires; facilitated workshops
• Objectives:
– Enhance audit responsibilities
– Educate line management in control responsibility and monitoring
– Concentrate on areas of high risk
129
U
Chapter 3.
Domain4:
IT Service Delivery and Support
130
U
Overview of Tasks for Domain 4
•4.1 Evaluate service-level management practices to ensure that the level of
service from internal and external service providers is defined and managed.
•4.2 Evaluate operations management to ensure that IT support functions
effectively meet business needs.
•4.3 Evaluate data administration practices to ensure the integrity and
optimization of databases.
•4.4 Evaluate the use of capacity and performance monitoring tools and
techniques to ensure that IT services meet the organization’s objectives.
•4.5 Evaluate change, configuration and release management practices to
ensure that changes made to the organization’s production environment are
adequately controlled and documented.
•4.6 Evaluate problem and incident management practices to ensure that
incidents, problems and errors are recorded, analyzed and resolved in a timely
manner.
•4.7 Evaluate the functionality of the IT infrastructure (e.g., network components,
hardware and system software) to ensure that it supports the organization’s
objectives.
131
U
Overview of skill and knowledge for Domain 4
•4.1 Knowledge of service-level management practices
•4.2 Knowledge of operations management best practices (e.g., workload scheduling,
network services management and preventive maintenance)
•4.3 Knowledge of system performance monitoring processes, tools and techniques (e.g.,
network analyzers, system utilization reports and load balancing)
•4.4 Knowledge of the functionality of hardware and network components (e.g., routers,
switches, firewalls and peripherals)
•4.5 Knowledge of database administration practices
•4.6 Knowledge of the functionality of system software including operating systems, utilities
and database management systems
•4.7 Knowledge of capacity planning and monitoring techniques
•4.8 Knowledge of processes for managing scheduled and emergency changes to the
production systems and/or infrastructure including change, configuration, release and patch
management practices
•4.9 Knowledge of incident/problem management practices (e.g., help desk, escalation
procedures and tracking)
•4.10 Knowledge of software licensing and inventory practices
•4.11 Knowledge of system resiliency tools and techniques (e.g., fault tolerant hardware,
elimination of single point of failure and clustering)
132
U
IS Audit Small Quiz No.4
Quiz book
133
U
136
U
Process of ITIL (1)
Cycle Processes and Functions
Financial Management
Service Strategy
Service Portfolio Management
Demand Management
Service Catalog Management
Service Design Service Level Management
Capacity Management
Availability Management
Service Continuity Management
Information Security Management
Supplier Management
Transition planning and support
Service Transition Change Management
Service Asset and Configuration Management
Release and configuration Management
Service validation and testing
Evaluation
Knowledge Management
137
U
Process of ITIL (2)
138
Service Level Agreement
A service level agreement (frequently abbreviated as SLA) is a part of a service contract
where the level of service is formally defined. In practice, the term SLA is sometimes
used to refer to the contracted delivery time (of the service) or performance. As an
example, internet service providers will commonly include service level agreements
within the terms of their contracts with customers to define the level(s) of service being
sold in plain language terms (typically the (SLA) will in this case have a technical
definition in terms of MTTF, MTTR, various data rates, etc.)
FTE: Full Time Equivalent , QA: Quality Assurance, SLA: Service Level Agreement
140
Management and Tools for IT operation
Network Service Desk (ITIL)
Management Other tools
Monitoring tools support tools
Incident Management X X
(Detect) (Manage)
Problem Management X X
(Detect) (Manage)
Service Management X (Measure) Excel
Capability Management Excel
X (Measure)
Configuration Management X X
(Monitor) (Manage)
Change Management X
(Manage)
Finance Management Excel
Skill Management Excel or Access
Knowledge Management X
Word, Excel
(Manage)
Evaluation and Report X X
Word, Excel
(Data) (Data/Report)
141
Sample: System for IT support (Medium and Small Class)
Center
NOC
Traffic/QoS Monitoring
System
Configuration Remote
Management
System Trouble detecting System Local Service Desk/ Remote NOC
Service Catalog/
Service Level Incident
Management Central Service Desk Management
system (Troubles shooting)
Needs History of
SC/SL DB and Event &
Request Incident Capacity
Development of ICT
Staff
Service Desk Management System
Knowledge
Management
System
143
U
Tools for IT operation
• Service Desk Plus
http://www.manageengine.com/products/service-desk/index.html
Go to both website
144
U
Workflow of Change Management for approval
Why is Change management important ?
More than 50% of incident and More than 90% of incident that affect on business
are caused by changing.
CAB Configuration Programmer
User Change Manager (Chang Advisory
Manager Operator
Board)
RFC Review Input RFC
Reject
Initial priority Update RFC
Argent
Request For
Change
Changing Argent
Procedure
Priority &schedule
Serious
Type
Trivial Impact
Approval and Plan assessment & Update RFC
Discussion
Report
changing
Update RFC
Change
Approval Procedure
No Yes
145
U
Viewpoint of IS audit (Operation: Change Management)
146
U
Overview of Incident/Problem management and service desk
Failure
Detect risk factor or
Appear Trouble symptoms
and/or
occur
User
Monitoring System
Request 1st level staff
escalation
Service Desk
2nd level staff
Incident Management:
to restore a normal service Problem Management:
operation as quickly as possible to get red of factor of risk or failure or to
and to minimize the impact on resolve the factor that made or will make
business operations failure 147
U
Viewpoint of IS audit (Incident & Problem management)
148
U
Overview of Capacity Management
Reactive activities:
•Monitoring and measuring
•Responding and reacting to capacity related events (incidents)
Proactive activities:
•Predicting future requirement and trends
•Budgeting, planning and implementing upgrade.
•Seeking ways to improve service performance.
•Optimizing the performance of a service
149
U
Viewpoint of IS audit (Hardware)
Category Target Description
Planning & Planning •Is the plan aligned with business requirements?
Acquisition •Is the plan synchronized with IS plans?
•Have criteria for acquisition of hardware been developed and
appropriate?
•Does new hardware suit the current IT environment?
Acquisition •Is the a acquisition in line with hardware acquisition plan?
•Are procurements and document of procurements based on
appropriate procedure an regulation?
•Are procurements processes approved by appropriate
management
Operation& Operation & •Is scheduling adequate to meet workload schedules and user
Incident Maintenance requirements?
manageme •Is scheduling flexible to accommodate required hardware and
nt preventive maintenance?
•Is maintenance done during off-peak workload period?
•Is appropriate maintenance the vendors recommend done?
Monitoring & •Have IS management staff reviewed malfunctions, abnormal
Incident / system termination and operator action?
Problem •Is continuous review performed of hardware and system
management software performance and capacity
•Is monitoring adequate in the case of equipment failure?
•Is monitoring based on logs, maintenance history and
adequate information? 150
U
Overview of Middleware
Middleware is computer software that connects software components or some people
and their applications. It usually connects OS and application software.
Message-oriented Middleware
•Message-oriented middleware is middleware where transactions or event notifications
are delivered between disparate systems or components by way of messages, often
via an enterprise messaging system.
Application servers
•software installed on a computer to facilitate the serving (running) of other
applications.
152
U
Basic Key word of Network
•LAN/WAN
•DNS, DHCP, Web server, FTP and mail server
•IPV4, IPV6, Port Number, Global IP Address
•ISO architecture, NIC
•TCP/IP , UDP
•HTTP, ARP, SNMP
•NAT, RADUS
•SSL, Applet, CGI, .Net, PHP, Java, Cookie
•Wireless IEEE802.11abg, WiMAX IEEE 802.16, Ubiquitous computing
•WPA (Wifi Protected Access) , WAP (Wireless Application Protocol)
•LADP, H32x, VOD, Streaming
•QoS
•VPN, SSH, DMZ, Proxy, Firewall, Security hole
•Intrusion Detection System (IDS),Intrusion Prevention System (IPS)
•URL, Serch Engine, SEO
•Router, Switch , Hub, Modem , ATM, FR
•Optical fiber, ADSL, FDDI, Ethernet
•SNS, Blog
•ISP
•cloud computing, SaaS
153
U
Tools for Network Monitoring
Type Category Purpose Example
(Recommendation)
Snap shot Command for Network Detecting trouble ping, tracert, netstat
(Operate by management
manual) Network Analyzer Detecting trouble/ Snuffer, wireshark,
Measuring traffic ASTEC Eyes,
(packet)
Daily tool Traffic Monitor Measuring traffic MRTG
( Operate SNMP manager Configuration NET-SNMP
automatically) management/
Detecting trouble
Server Monitoring Detecting trouble Nagios
Go to both website
154
U
Viewpoint of IS audit (Network Infrastructure & implementation)
155
U
DB Notarization
First Normal Form (1NF)
• Eliminate duplicative columns from the same table.
• Create separate tables for each group of related data and identify each row with a
unique column or set of columns (the primary key).
Second Normal Form (2NF)
• Remove subsets of data that apply to multiple rows of a table and place them in
separate tables.
• Create relationships between these new tables and their predecessors through the
use of foreign keys.
Third Normal Form (3NF)
• •Remove columns that are not dependent upon the primary key.
Order form:
Date 10th, OCT. 2010
Customer name: UP company Customer No. 4650
156
U
Viewpoint of IS audit (Data Base)
Category Target Description
Design Logical •Do all entities in the entity diagram exist?
Schema •Are all relations represented through foreign key?
•Are constrains specification clearly?
Physical •Has allocation of initial and extension space been done by the
Schema requirements?
•Are indexes present?
•If the DB is not normalized, is justification accepted?
•Is data redundancy minimized by DBMS?
Design an Reliability •Are adequate change procedure to ensure the integrity of DB
Operation and management software?
integrity •Is the integrity of DBMS’s data directory maintained?
•Are integrity and confidential of data not affected by data import
and export procedures?
Operation •Do backup and disaster recovery procedures exist?
Operation Security •Are security level of users and their roles appropriate and
and secure?
Security •Is access to shared data appropriate?
157
U
Tasks of operation staff
•Executing and monitoring scheduled job
•Facilitating timely backup
•Monitoring unauthorized access and use of sensitive data
•Monitoring and reviewing the extent to adherence to IT operation
procedures as established by IS and business management
•Participating in test of disaster recovery plans
•Monitoring the performance, capacity, availability and failure of
information resources
•Facilitating troubleshooting and incident handling.
158
U
Viewpoint of IS audit (Operation)
Category Target Description
Regulation Regulation •Are documented instruction adequate in peripheral , start
and Control and Control and shutdown, trouble-shooting and record to be retained.
•Have controls been put in place to ensure accuracy and
efficiency of operation.
•Is appropriate supervisor or supervisor’s function ?
•Are controls for input appropriate and enough?
Environment Environment •Are online library facility located away from the computer
room
•Do all the storage media have appropriate label?
Operation Operation •Have procedures been established to control the storage
media?
•Are these procedures been followed?
•Are the automated operation software and manual
contingency procedures documented and tested?
•Are all error of automated software notified to operator?
Security •Is access to files and documentation library restricted to
operators?
•Is access to correcting program and data programs
restricted?
•Are responsibility for operation of the computer and other
devices limited?
159
U
Chapter 4.
Domain6:
Business Continuity and Disaster
Recovery
160
U
Overview of Tasks for Domain 6
•6.1 Evaluate the adequacy of backup and restore provisions to ensure the
availability of information required to resume processing.
•6.2 Evaluate the organization’s disaster recovery plan to ensure that it enables
the recovery of IT processing capabilities in the event of a disaster.
•6.3 Evaluate the organization’s business continuity plan to ensure its ability to
continue essential business operations during the period of an IT disruption.
161
U
Overview of skill and knowledge for Domain 6
•6.1 Knowledge of data backup, storage, maintenance, retention and restoration
processes and practices
•6.2 Knowledge of regulatory, legal, contractual and insurance issues related to
business continuity and disaster recovery
•6.3 Knowledge of business impact analysis (BIA)
•6.4 Knowledge of the development and maintenance of the business continuity
and disaster recovery plans
•6.5 Knowledge of business continuity and disaster recovery testing approaches
and methods
•6.6 Knowledge of human resources management practices as related to
business continuity and disaster recovery (e.g., evacuation planning and
•response teams)
•6.7 Knowledge of processes used to invoke the business continuity and disaster
recovery plans
•6.8 Knowledge of types of alternate processing sites and methods used to
monitor the contractual agreements (e.g., hot sites, warm sites and cold sites)
162
U
IS Audit Small Quiz No.5
Quiz book
163
U
165
U
Overview of Disaster Recovery Plan (DRP)
Backup
Network
Disaster
Backup Restore
166
U
Type of Disaster and Threats
167
U
Overview of BCP: Business Continuity Plan
BCP: Business Continuity Plan
An ongoing process supported by senior management and funded to
insure that the necessary steps are taken to identify the impact of
potential losses, maintain viable recovery strategies and recovery plans,
and ensure continuity of services through personnel training, plan
testing, and maintenance.
168
U
Flow of of BCP / DRP
Planning
169
U
Flow of of BCP / DRP: Planning
•Define BCP vs. DRP for clear understanding by all.
•Identify Project Sponsors and Leadership.
Defining objectives, policies, critical success factors, scope.
Identifying legal and regulatory requirements.
•Define standard terms and assumptions.
•Develop a Project Plan and Budget.
Hard costs and soft costs such as equipment, personnel
resources, facilities, etc.
170
U
Flow of of BCP / DRP: Risk Assessment & Business
Impact Analysis
•Process of identifying the risks to an organization, assessing the critical
functions necessary for an organization to continue business operations,
defining the controls in place to reduce organization exposure and
evaluating the cost for such controls.
•Identify the following:
– Risk – Exposure to loss, injury, danger; potential for loss (qualitative or
quantitative).
– Threats – Event that can cause a risk to become an actual loss (natural
or man-made).
– Vulnerabilities –Exposure to an event that can cause actual loss.
Quantitative Risk:
– Assigns a value to the risk.
– Identifies cost of a particular effect, incident or phenomenon.
– Can be state in an ALE (Annualized Loss Exposure or Expectancy).
Qualitative Risk:
– Intangible effects caused by a particular incident.
– Descriptive – Usually relates a cause with an effect.
171
U
Type of Risk to be considered
Compliance Financial Operational Strategic Technical
Contractual Lost/Deferred People Market Share Cyber crime
Revenue
Regulatory Opportunity Production Partnerships E-Business
173
U
RTO and RPO
RTO: the duration of time and a service level within which a business process
must be restored after a disaster (or disruption) in order to avoid
unacceptable consequences associated with a break in business continuity.
RPO: the point in time to which you must recover data as defined by your
organization. This is generally a definition of what an organization determines
is an "acceptable loss" in a disaster situation.
RPO RTO
disaster
Tape
Backup
Disk
Backup Real-time
Transaction Backup 174
U
Current controls
•Physical Controls
Fire suppression / sprinkler systems Evaluate the effectiveness
Access control systems •Deter the threat
Security guards •Lessen the loss
•Procedural Controls •Ability to deter or reduce risks
Hiring and termination policies
Clean desk policy Improve the effectiveness of controls:
Document receipting • Implementing layers of protection
•Logical Controls where possible
Data storage protection • Training
Protection afforded assets by • Documentation
location in relation to threat • Enforcement
175
U
Insurance for business including DRP
Insurances cover followings:
•IS equipment and facilities
•Media (software) reconstruction
•Extra expense: based on the availability and cost of backup facility and
operation.
•Business interruption
•Errors and omissions: for legal liability protection in financial loss to client.
•Fidelity coverage: covering loss from dishonest or fraudulent acts by
employees.
•Media transportation
176
U
177
U
Flow of of BCP / DRP: Developing Plan Strategies &
Developing The Plan
Determine and guide the selection of alternative business recovery
operating strategies for recovery of business and information technologies
within the recovery time objectives, while maintaining the organization’s
critical functions.
Identify Requirements for DRP and BCP Strategies
•Review business recovery issues from BIA
•Review technology recovery issues for each support area
•Review non-technology issues for each support area
Identify Off-Site storage requirements and Alternative facilities
Identify Viable Recovery strategies within business functional areas:
•Service Degradation
•Internal Recovery (Reciprocal Agreement)
•Commercial Recovery Center such as Hot site and Warm site.
Consolidating Strategies across the Enterprise
•Coordination of Technology Recovery
•Enterprise Level Crisis Management
•Enterprise Level Media Handling
•Centralized strategy for interfacing with local
178
U
179
U
Backup schemes
Full + incremental
•A full + incremental repository aims to make it more feasible to store several copies of the
source data. At first, a full backup (of all files) is made. After that, any number of
incremental backups can be made. There are many different types of incremental backups,
but they all attempt to only back up a small amount of data (when compared to the size of a
full backup). A incremental backup copies everything that changed after the last backup
(full, differential or incremental)
Differential backup
•A differential backup copies files that have been created or changed since the last full
backup. It does not mark files as having been backed up (in other words, the archive
attribute is not cleared). If you are performing a combination of full and differential backups,
restoring files and folders requires that you have the last full as well as the last differential
backup. Day of modified
day1 Day2 Day3 Day4 Day5 day1 Day2 Day3 Day4 Day5
File1 F I I File1 F D D D D
File2 F I File2 F D D
File3 F I File3 F D D D
File4 F I File4 F D
180
U
Network Disaster Recovery Methods
Method for Redundancy
•Secondary LAN cable
•Providing multiple paths between routers
•Dynamic routing protocol such a OSPF
•Providing fail over device to avoid single point
•Alternative routing including dial-up, cellular phone and microwave
•Diverse routing
•Lang-haul network diversity
•Voice recovery
181
U
Flow of of BCP / DRP: Developing Plan Strategies &
Developing The Plan
Detail Plan (1/2)
Content Detail content
Plan Scope and •Definition of Standard Terms
Objective •Selecting the appropriate Methodology
•Scope of Project itself
Business Recovery •BCP Planning Coordinator
Organization (BRO) •Disaster Recovery Teams
and responsibilities •Business Continuity Management Teams
Major Plan •Reduction
Components •Response
•Recovery and Resumption
Escalation, •Disaster Declaration Procedures
notification and plan •Mobilization procedures
activation •Damage assessment concepts
•Recovery Site Activation
Vital records and off- •What goes off-site
site storage program •Inventory of what is off site
•How do you get it back
182
U
Flow of of BCP / DRP: Developing Plan Strategies &
Developing The Plan
Detail Plan (1/2)
Content Detail content
Salvage and Reclamation •Document extent of damage, items destroyed, items
Procedures recoverable.
•Arrange for removal of recoverable items
Restoration Planning •Preparations of new facility.
•Preparations for moving into new facility.
•Plans for cutting over from temporary site to new facility.
Provisions for testing and •Procedures for periodic and routine update of plan.
maintenance of the plan •Procedures for periodic and routine testing of plan or plan
•components.
183
U
Flow of of BCP / DRP: Plan Testing & Maintenance
A program to periodically and methodically test all major components of
the plan to ensure that they are functioning as designed.
•Allow for periodic testing of major plan components at least semi-annually.
•Identify scope, goals and objectives for each individual test.
•Provide for an independent auditing of test performance.
•Provide for a post-mortem / report of test results which are communicated
to appropriate management levels.
•Provide a feedback mechanism into the plan maintenance process.
•Provide for the allocation of adequate resources.
184
U
Flow of of BCP / DRP: Awareness & Training
185
U
Overview of viewpoint IS audit for DRP/BCP
Disaster
Offsite
Movement
Storage
Emergency Team Recovering
186
U
Offsite Storage
Classification Description
Operating Procedure •Application run books, job stream control instructions, operating
system manuals.
System and program •Design document, Program code list, error conditions and user
documentation manual
Special Procedure •Any procedure or instructions that are out of the ordinary
Input source •Duplication copies of reports and summaries required for
documents output auditing, performance of vital work, scarification of legal
document requirement or expending insurance claims.
BCP •A copy of the latest version
187
Viewpoint of IS audit (Overview of DRP and BRP) U
Category Description
Plan •Reviewing business continuity strategy and its connection to business objectives
•Reviewing BIA (Business Impact Assessment) to ensure that they reflect current
business priorities and current controls.
•Ensuring that the process of maintenance plans are in place and reviewed and
modified in appropriate time
•Verify the whether BCP support the overrall business continuity strategy
•Evaluating BCP to determine their adequacy and currency based on BIA
including RTO and RPO.
•Reviewing the identification, priorities, and planned support of critical
applications.Determining whether the all critical applications have been identified
•Determining whether the secondary site has the correct versions of all system
software.
Method & •Evaluating offsite storages
means •Verifying the treatment of backup media including transportation
•Evaluating whether business continuity manual and procedures are written in
simple and easy to understand.
Testing •Verifying that BCP’s effective by reviewing the results of test
Organizat •Evaluating the ability of personal to respond effectively in emergency situation
ion by reviewing emergency procedure, records of training and results of testing
•Reviewing the list of business continuity personnel , emergency site and
venders. And checking address and phone number by sampling
•Interviewing assigned personnel for understanding of their responsibility in case
of interruption situation. 188
U
Viewpoint of IS audit (Detail of DRP and BRP)
Category Description
Procedure & •Identifying whether transactions reentered are appropriate.
method •Determining whether all recovery/ continuity are documented and teams
have them.
•Determine whether the plan adequately address movement to the
recovery site and recovering from the recovery site.
•Determining whether items necessary for the reconstruction of the
information processing facility are stored offsite
•Does the plan include procedure for merging master data into pre-
disaster data.
Physical •Were is the backup facility site?
preparation •Are regular and systematic backup are taking?
•Are telecommunication backup is working will?
189
U
Chapter 5.
Domain 5
Protection of Information Assets
190
U
Overview of Tasks for Domain 5
•5.1 Evaluate the design, implementation and monitoring of logical access controls to
ensure the confidentiality, integrity, availability and authorized use of information assets.
•5.2 Evaluate network infrastructure security to ensure confidentiality, integrity, availability
and authorized use of the network and the information transmitted.
•5.3 Evaluate the design, implementation and monitoring of environmental controls to
prevent or minimize loss.
•5.4 Evaluate the design, implementation and monitoring of physical access controls to
ensure that information assets are adequately safeguarded.
•5.5 Evaluate the processes and procedures used to store, retrieve, transport and dispose
of confidential information assets.
191
U
Overview of skill and knowledge for Domain 5 (1)
•5.1 Knowledge of the techniques for the design, implementation and monitoring of security
(e.g., threat and risk assessment, sensitivity analysis and privacy impact assessment)
•5.2 Knowledge of logical access controls for the identification, authentication and restriction
of users to authorized functions and data (e.g., dynamic passwords, challenge/response,
menus and profiles)
•5.3 Knowledge of logical access security architectures (e.g., single sign-on, user
identification strategies and identity management)
•5.4 Knowledge of attack methods and techniques (e.g., hacking, spoofing, Trojan horses,
denial of service and spamming)
•5.5 Knowledge of processes related to monitoring and responding to security incidents
(e.g., escalation procedures and emergency incident
•response teams)
•5.6 Knowledge of network and Internet security devices, protocols and techniques (e.g.,
SSL, SET, VPN and NAT)
•5.7 Knowledge of intrusion detection systems and firewall configuration, implementation,
operation and maintenance
•5.8 Knowledge of encryption algorithm techniques (e.g., AESRSA)
•5.9 Knowledge of public key infrastructure (PKI) components (e.g., certification authorities
and registration authorities) and digital signature techniques
192
U
Overview of skill and knowledge for Domain 5 (2)
•5.10 Knowledge of virus detection tools and control techniques
•5.11 Knowledge of security testing and assessment tools (e.g., penetration testing and
vulnerability scanning)
•5.12 Knowledge of environmental protection practices and devices (e.g., fi re suppression,
cooling systems and water sensors)
•5.13 Knowledge of physical security systems and practices (e.g., biometrics, access cards,
cipher locks and tokens)
•5.14 Knowledge of data classification schemes (e.g., public, confidential, private and
sensitive data)
•5.15 Knowledge of voice communications security (e.g., voiceover IP)
•5.16 Knowledge of the processes and procedures used to store, retrieve, transport and
dispose of confidential information assets
•5.17 Knowledge of controls and risks associated with the use of portable and wireless
devices (e.g., PDAs, USB devices and Bluetooth devices)
193
U
IS Audit Small Quiz No.6
Quiz book
194
U
196
U
Overview of threats to Information Assets
Virus
E-commerce
123 System
Company Operator Customer
E-commerce
DB
spoofing
Eavesdropping
Scavenging
Intrusion
clacking Criminal
197
U
3+3 atomic elements of Information Security
198
U
Concept of Protection of Information Assets (Attackers)
Owner
value
wish to minimize
impose
to reduce
Countermeasures
Leading to
Attackers that Risks
exploit
Computer Security Institute/FBI and Ernst & Young say nearly 50% of all network 201
attacks come from the inside
U
Security control concept (1)
Access Control
•Ability to permit or deny the use of resources by a particular entity
•The ability to allow only authorized users, programs or processes
system or resource access
Authentication
•Who goes there?
•Restrictions on who (or what) can access the system
•Verifying the identity of a user, process, or device, often as a
prerequisite to allowing access to resources
Authorization
•Are you allowed to do that?
•Restrictions on actions of authenticated users
•The right or a permission that is granted to a system entity to access a
system resource
202
U
Security control concept (2)
Need-to-know
•Having access to the information that is required to carry out work
•ensuring that access to nuclear sensitive assets is limited to only those
who have the necessary ‘need to know’ and the appropriate security
clearance
Defense-in-depth
•places multiple barriers between an attacker and your assets
•the deeper an attacker tries to go, the more layers they need to get
through undetected
203
U
General Idea: Type of Means of controls
Example of Control
Avoid Disconnect from network, stopping services
Reduce Backup site, Duplex system, Monitoring
Transfer Insurance, hosting
Accept Enhancement of customer support
204
Technical measures of security
Preventive/ Detective/ Corrective Confidentiality/ Integrity/ Availability
type Method P D C C I A
Network Fortress Firewall X x x x
DMZ X x x x
206
U
Security Audit
Evaluation of the information security status of all assets
•Identify assets
•Identify vulnerabilities
•Identify threats
•Determination of likelihood •Security tends to degrade during
•Determination of consequence the operational phase of the
•Identify security controls system life cycle. Once it is in
•Risk mitigation place it tends to be forgotten
•One-time or regular evaluation of
Security assessment areas cover; security and controls
•Security Policy •Examine an entire system or a
•Organizational Security single anomalous event
•Asset classification and control •Conformity to the requirements
•Personnel security of relevant legislation or
•Physical and Environmental Security regulations / managements
•Communications and Operations Management
•Access Control
•System development and maintenance
•Business Continuity Management
•Compliance
•other
207
U
Group roles and Responsibility for Security Management
Executive
manager CISO: Chief
Information Security CPO: Chief privacy
Officer Officer
IS security steering
committee
Security Advisory
Group
Security
Process
Administrator Security
Owners Process
Specialist
Owners
IS Auditor
IT
Process
Developer
Owners
209
U
Security baseline recommendation
Item Objective Recommendations: Example
Inventory for •Establish and maintain •Users are expected to follow standers to
Physical control an inventory connected network and registered
network address.
Antivirus •Install antivirus software •Database of antivirus software should be
with automatic updating updated every day.
Passwords •Recognize the •The IT department should provide
importance of passwords password guidance.
patching •Make it automated •Each machine should be configured to
patch automatically.
Minimizing •Eliminate unnecessary •To improve basic security and minimize
services offered services- reduce security effort to maintain systems. Workstations
by infrastructure risk should offer only needed services
(software)
Addressing •Eliminate many •Information form enterprise wide scans
Vulnerabilities vulnerabilities with good helps to identify vulnerabilities on each
system administration system
Backups •Allow easy recovery from •Backups should be made offsite for
user mistakes and decreasing security.
hardware failure
210
U
Summary Basic Security Evaluation Check list (1)
Topics Point
Assets/Inventory •What type of data maintained by the company ?
•Is there any confidential information? How do they keep?
•Are there any specific requirement to handling data?
Environment •What kind of ICT devices dose the company have?
•Are there wireless network? How is its security?
•Is there a appropriate network maps for security?
•What kind of OS does the company use?
•How is remote network access?
•How is licenses of software?
•How is a configuration management of H/W and S/W?
•Are there any physical security means for entering IT room?
Anti-virus •Does the company have anti-virus policy?
•Do all workstations and servers have anti-virus software?
•Does antivirus software update virus DB automatically?
•Does each staff understand when he/she finds virus?
Password •Does the company have policy of using password
•Does the company conduct training?
•Is there any software detect weak password?
•Do staff know that they cannot share password?
211
U
Summary Basic Security Evaluation Check list (2)
Topics Point
Patch •Do all device update automatically? How often?
•Is there any environment for testing new patch?
•Is there any backup before update new patch?
Minimizing •Does the company identify necessary services?
services •Does the IT staff review minimizing services?
•Is there any means to prevent new installation by unauthorized
personnel?
Vulnerabilities •Is vulnerability testing done?
•After testing? Does the company take means to vulnerabilities?
•If someone finds vulnerability, who support next?
•Are there any firewall an IDS in the network?
Backup and •Is backup done regularly?
recovery •Is backup kept in secure area?
•Are there appropriate procedure for backup and recovery?
•Can backup is appropriate to recover business in case of disaster?
•Does IT staff have experience of recover or test of recover?
212
U
General Idea of Network Security
Proactive Endpoint Security
•Define and deploy a baseline security policy
•Provides instant desktop firewall protection
•Blocks all unsolicited traffic to/from the PC
•Uses stealth technology to make PCs invisible to hackers
•Control how, when, and which resources PCs can access on the network
•Enables very granular least privilege access of network resources
•Safeguards PCs with intrusion prevention with no rule writing
•Blocks traffic containing malicious codes
•Stops execution of any mal-ware it detects on the PC
Penetration Testing
•Attempt to scrutinize the true strength of an organization’s security
infrastructure against a real attack
•Assume the role of a real intruder and attempts to breach the network in a
controlled and safe way not affecting your services
•Launches a series of attacks on the network using commonly used techniques
•Various commercial and open source “hacker” tools will be employed during the
tests
214
U
Environmental exposure and controls
Exposure
•Lightening storm, earthquakes, volcanic eruption, hurricanes, tornados and
other type of extreme weather.
•Power failures : black out, brownout, sag/spikes and surges and
Electromagnetic Interference: EMI.
•Water damage/ flooding
•Fire
•Dust, smoke and other particulate matter including food.
•Mouse and other animals and insects
•Terrorist
Controls
•Alarm control panel
•Uninterruptible power supply/ Generator
•Fireproof walls, floors and cable
•Water and fire/smoke detector
•Fire extinguishers (handheld or equipment)
•Humidity / Temperature control
•Monitoring camera
215
U
Chapter 6.
Domain 2
IT Governance
216
U
Overview of Tasks for Domain 2
•2.1 Evaluate the effectiveness of the IT governance structure to ensure adequate board
control over the decisions, directions and performance of IT so that it supports the
organization’s strategies and objectives.
•2.2 Evaluate the IT organizational structure and human resources (personnel)
management to ensure that they support the organization’s strategies and objectives.
•2.3 Evaluate the IT strategy and the process for its development, approval,
implementation and maintenance to ensure that it supports the organization’s strategies
and objectives.
•2.4 Evaluate the organization’s IT policies, standards and procedures and the processes
for their development, approval, implementation and maintenance to ensure that they
support the IT strategy and comply with regulatory and legal requirements.
•2.5 Evaluate management practices to ensure compliance with the organization’s IT
strategy, policies, standard and procedures.
•2.6 Evaluate IT resource investment, use and allocation practices to ensure alignment
with the organization’s strategies and objectives.
•2.7 Evaluate IT contracting strategies and policies and contract management practices to
ensure that they support the organization’s strategies and objectives.
•2.8 Evaluate risk management practices to ensure that the organization’s IT-related risks
are properly managed.
•2.9 Evaluate monitoring and assurance practices to ensure that the board and executive
management receive sufficient and timely information about IT performance.
217
U
Overview of skill and knowledge for Domain 2
•2.1 Knowledge of the purpose of IT strategies, policies, standards and procedures for an
organization and the essential elements of each
•2.2 Knowledge of IT governance frameworks
•2.3 Knowledge of the processes for the development, implementation and maintenance of
IT strategies, policies, standards and procedures
•2.4 Knowledge of quality management strategies and policies
•2.5 Knowledge of organizational structure, roles and responsibilities related to the use and
management of IT
•2.6 Knowledge of generally accepted international IT standards and guidelines
•2.7 Knowledge of enterprise IT architecture and its implications for setting long-term
strategic goals
•2.8 Knowledge of risk management methodologies and tools
•2.9 Knowledge of the use of control frameworks (e.g., COBIT, COSO and ISO/IEC 17799)
•2.10 Knowledge of the use of maturity and process improvement models (e.g., CMM and
COBIT)
•2.11 Knowledge of contracting strategies, processes and contract management practices
•2.12 Knowledge of practices for monitoring and reporting of IT performance (e.g., balanced
scorecards and key performance indicators)
•2.13 Knowledge of relevant legislative and regulatory issues (e.g., privacy, intellectual
property and corporate governance requirements)
•2.14 Knowledge of IT human resources (personnel) management
•2.15 Knowledge of IT resource investment and allocation practices (e.g., portfolio
management return on investment)
218
U
IS Audit Small Quiz No.7
Domain 2 IT Governance
IT governance, Governance organization, Governance strategy and
policy, Management of security, outsourcing and human resources.
Quiz book
219
U
ITIL V.3
(ISO 20000)
Service Delivery
and Operation
ISO 27000
Security
Summary
a) Leadership and Clear Business Ownership
b) Aligned Business-Relevant Measures
c) Complete and Accurate Inventories
d) Linking Technical and Business Risk
222
U
Concept of IT Governance:
223
U
Concept of IT Governance:
Enterprise Architecture for IT
As Is To be
Model Model
Next Model
An enterprise architecture (EA) is a conceptual blueprint that defines
the structure and operation of an organization. The intent of an
enterprise architecture is to determine how an organization can most
effectively achieve its current and future objectives. 224
U
Concept of IT Governance:
Balanced Scorecard
The core characteristic of the Balanced Scorecard and its derivatives is the presentation of
a mixture of financial and non-financial as well as leading and lagging measures each
compared to a 'target' value within a single concise report.
Action Person in
Strategic target Measuring method Target
plan charge
Improvement in
Net profit 20% rise
profits nature
Financial The expansion of
Sales growth rate 30% rise
a customer
A few air crafts Lease cost 20% down
Expansion of a Repeater ratio 90% or more
customer loyalty Customer rate of increase 30% rise
Customer
Orientation Departure at the right time 90% or more
Keeping a
departure time Less than 10
Average delay time
minutes
Flight cancellation ratio 0%
Business Keeping a
Process schedule. Customer complaint Zero
number of cases affair/month
Learning & Improvement of Training cost 10% of sales
Growth Training Training Time 10% rise
225
U
Concept of IT Governance:
Balanced Scorecard: example of objectives and metrics
Viewpoint Objective Example Metrics
Business/ IT Alignment Operational budget approval
Financial Value Delivery Business Unit Performance
Risk Management Results of Internal Audits
Customer Customer Satisfaction Business Unit Survey ratings
Orientation
Competitive Costs Attainment of unit cost targets
Business Development Process Function Point Measures
Process
Operational process Change Management effectiveness
Process Maturity Level of IT Processes
Enterprise Architecture State of the infrastructure
assessment
Learning & Human Resource Management Staff Turnover
Growth
Employee Satisfaction Satisfaction survey scores
Knowledge Management Implementation of learned lessons
227
U
Concept of IT Governance:
c) Complete and Accurate Inventories
•IT-dependent Business Processes
•Data Repositories and Information Flows
•IT Infrastructure
•IT Resources and Processes
Example: Information flow of sale
229
U
IT Governance Focus Area: (ITGI)
Enterprise governance is a set of responsibilities and practices
exercised by the board and executive management with the goal of:
• Providing strategic direction
• Ensuring that objectives are achieved
• Ascertaining that risks are managed appropriately
• Verifying that the enterprise’s resources are used responsibly
230
U
IT Governance Focus Area: (ITGI)
Strategic Focuses on ensuring the linkage of business and IT plans; on defining,
alignment maintaining and validating the IT value proposition; and on aligning IT
operations with enterprise operations
Value delivery Is about executing the value proposition throughout the delivery cycle,
ensuring that IT delivers the promised benefits against the strategy,
concentrating on optimizing costs and proving the intrinsic value of IT
Resource Is about the optimal investment in, and the proper management of,
management critical IT resources: applications, information, infrastructure and people.
Key issues relate to the optimization of knowledge and infrastructure.
Risk Requires risk awareness by senior corporate officers, a clear
management understanding of the enterprise’s appetite for risk, understanding of
compliance requirements, transparency about the significant risks to the
enterprise, and embedding of risk management responsibilities in the
organization
Performance Tracks and monitors strategy implementation, project completion,
measurement resource usage, process performance and service delivery, using, for
example, balanced scorecards that translate strategy into action to
achieve goals measurable beyond conventional accounting
231
U
IT governance flow and cycle (CobiT)
Business Objectives
Governance Objectives PO1 Define a strategic IT plan
Information PO2 Define the information
M1 Monitor and evaluate IT architecture
Effectiveness PO3 Determine the technological
Performance
M2 Monitor and evaluate internal Efficiency direction
control Confidentiality PO4 Determine the IT Processes,
……. Integrity …….
Monitoring Compliance Planning and
Reliability Organization
IT recourses
DS1 Define and Manage Service
Levels People AI1 Identify automated solutions
DS2 Manage third party services Application AI2 Acquire and maintain
DS3 Manage performance and Systems application software
capacity AI3 Acquire and maintain
Technology
DS4 Ensure continuous service technology infrastructure
DS5 Ensure systems security Facilities AI4 Enable operation and use
DS6 Identify and allocate costs Data AI5 Procure IT resources
……. AI6 Manage …….
232
U
IT Management hierarchy (CobiT)
Natural grouping of
Domain ….. Domain processes often matching an
organizational domain of
responsibility
233
U
IT Government : Type of Planning
234
U
Organization of steering committee
Board of Directors
235
U
General role of IS auditor for IT governance
An Auditor is well positioned to provide leading practice
recommendations to senior management to help the quality and
effectiveness of IT governance initiatives implemented.
As an entity that monitors compliance , audit help ensure
compliance with IT conversance initiatives implemented within an
organization. The continual monitoring, analysis and evaluation of
metrics associated with IT governance initiatives require and
independent and balanced view to ensure a qualitative assessment
that subsequently facilitates the qualitative improvement of IT
process and associated IT governance initialtive.
236
U
Issues and targets of IT governance (1)
238
U
Contact: Go Ota
e-mail gohome@v006.vaio.ne.jp
Web www.beyondbb.jp (Japanese)
239