Security
Reader small image

You're reading from  CISA – Certified Information Systems Auditor Study Guide - Second Edition

Product typeBook
Published inJun 2023
PublisherPackt
ISBN-139781803248158
Edition2nd Edition
Concepts
Information Security
Right arrow
Author (1)
Hemang Doshi
Hemang Doshi
author image
Hemang Doshi

Hemang Doshi has more than 15 years of experience in the field of system audit, IT risk and compliance, internal audit, risk management, information security audit, third-party risk management, and operational risk management. He has authored several books for certification such as CISA, CRISC, CISM, DISA, and enterprise risk management.
Read more about Hemang Doshi

Right arrow

IT Governance

This Book Comes with Free Online Content

With this book, you get unlimited access to web-based CISA exam prep tools which include practice questions, flashcards, exam tips, and more.

Figure 1.1: CISA Online Practice Resources Dashboard

Figure 3.1: CISA online practice resources dashboard

To unlock the content, you’ll need to create an account using your unique sign-up code provided with this book. Refer to theInstructions for Unlocking the Online Content section in the Preface on how to do that.

Accessing the Online Content

If you’ve already created your account using those instructions, visit packt.link/cisastudyguidewebsite or scan the following QR code to quickly open the website.

Figure 3.2: QR Code to access CISA Online Practice Resources Main Page

Figure 3.2: QR Code to access CISA online practice resources main page

Once there, click the Login link in the top-right corner of the page to access the content using your credentials.

An Information Systems (IS) auditor must have knowledge of enterprise...

Enterprise Governance of IT (EGIT)

EGIT is a process used to monitor and control IT activities. IT governance ensures that information technology provides added value to business processes and also that IT risks are appropriately addressed. The purpose of EGIT is to ensure that IT activities are aligned with business objectives. Such an alignment of IT and business leads to the attainment of business value.

The Board of Directors is primarily responsible for EGIT. It implements governance through leadership, organizational structures, policies, and performance monitoring to ensure that business objectives are achieved.

The following diagram depicts EGIT in a nutshell:

Figure 3.3: EGIT in a nutshell

Figure 3.3: EGIT in a nutshell

For the successful implementation of EGIT, it is essential to design and document well-structured processes. This is discussed in the next topic.

EGIT Processes

The EGIT framework can be implemented by establishing and managing the following processes...

IT-Related Frameworks

IT-related processes should be defined and documented in a structured manner. The adoption of IT-related frameworks helps an organization add value to its stakeholders and also ensures confidentiality, integrity, and the availability of IT assets. The following are some of the EGIT frameworks:

IT Standards, Policies, and Procedures

EGIT is implemented through a specific set of standards, policies, and procedures. Let’s understand how each one of these operates.

Policies

A policy is a set of ideas or strategies that are used as a basis for decision-making. They are high-level statements of direction issued by management:

  • There can be multiple policies at the corporate level as well as the department level. It should be ensured that department-wise, policies are consistent and aligned with corporate-level policies.
  • Policies should be reviewed at periodic intervals to incorporate new processes, technology, and regulatory requirements. An appropriate version history should also be maintained. An IS auditor should check for currency.
  • IS auditors should use policies to evaluate and verify compliance.
  • An IS auditor should also consider the applicability of policies to third-party vendors and service providers and their adherence to said policies...

Organizational Structure

A CISA candidate is expected to have an understanding of the organizational structure as well as the various roles and responsibilities of important IT functions.

The following table depicts the roles of IT-related functions:

Framework

Description

COBIT

COBIT was developed by ISACA.

It stands for Control Objective for Information and Related Technology.

COBIT is an EGIT framework that ensures that IT is aligned with the business and delivers value for the business.

ISO 27000 series

The ISO 27000 series is a set of best practices for information security programs.

ISO/IEC 27001 is a well-recognized standard for an Information Security Management System (ISMS).

ITIL...

Enterprise Architecture

An Enterprise Architecture (EA) defines the structure and operations of the organization. The objective of EA is to determine how an organization can achieve its current as well as future objectives. It is important for the EA to include the entire future outcome. If a future-state description is not included in the EA, it is incomplete.

The EA’s primary focus is to ensure that technology initiatives are compatible with the IT framework. Hence, the EA’s goal is to help the organization adopt the most successful technologies. The Zachman Framework was one of the first EAs created by John Zachman. It is a fundamental EA structure that provides a formal and structured way of viewing and defining an enterprise.

Enterprise Security Architecture

Enterprise security architecture is a subset of overall enterprise architecture and includes security processes and procedures and how these are linked across the organization from a strategic, tactical...

Enterprise Risk Management

Enterprise risk management (ERM) is a set of practices, methods, and processes adopted by organizations to manage and monitor risks. ERM is a structured process for managing various risks that can adversely impact business objectives. For effective risk management, it is important to determine an organization’s appetite for risk.

Risk Management Process Steps

Risk management is a process by means of which potential risks are identified, monitored, and managed. The following table depicts five steps to effective risk management:

Authority/committee

Description

Board of Directors

Corporate governance is mainly the responsibility of the Board of Directors.

Strategy committee

Advises the board on IT initiatives.

This committee consists of members of the board and specialist members of the non-board.

IT steering committee

Ensures that the IS department is in line with the goals and priorities of the organization.

The committee must determine whether IT processes support business requirements.

Monitors...

Maturity Model

Implementing IT governance involves the ongoing performance measurement of the assets of an organization. Maintaining consistent processes, productivity, and efficiency requires the implementation of a process maturity framework. The system can be based on different models, for example, Capability Maturity Model Integration (CMMI) and the Initiating, Diagnosing, Establishing, Acting, and Learning (IDEAL) model. CISA aspirants should be aware that there will be no direct questions in the exam on any of the particular frameworks or models.

Laws, Regulations, and Industry Standards Affecting the Organization

Laws and regulations are being enacted with the aim of protecting the interests of stakeholders. In the field of IT, the most common objectives of laws and regulations include the safeguarding of privacy and the confidentiality of personal data, the protection of intellectual property rights, and the integrity of financial information.

All these laws and regulations mandate various policies and procedures to protect the interests of stakeholders. CISA aspirants should be aware that there will be no direct questions in the exam on any particular laws or regulations.

An IS Auditor’s Role in Determining Adherence to Laws and Regulations

An IS auditor should consider the following factors in determining the level of adherence to laws and regulations by an organization:

  • Has an organization identified applicable laws and regulations pertaining to IT?
  • How is the Governance, Risk, and Compliance...

Summary

In this chapter, you learned about the important aspects of enterprise governance and related frameworks that an IS auditor is expected to use during audit assignments. You also explored the practical aspects of IT standards, policies, and procedures. The most important benefit of audit planning is that it helps the auditor focus on high-risk areas. Further, you studied organizational structure, enterprise architecture, and enterprise risk management.

The following is a recap of the important topics learned about in this chapter:

  • EGIT is a process used to monitor and control IT activities. Information security governance is an integral part of overall IT governance. Information security governance addresses concerns regarding the protection of information assets, in other words, the confidentiality, integrity, and availability of the information.
  • The primary responsibility and accountability for setting up the IS security policy reside with the Board of Directors...

Chapter Review Questions

Before you proceed to Chapter 4, IT Management, it is recommended that you solve the practice questions from this chapter first. These chapter review questions have been carefully crafted to reinforce the knowledge you have gained throughout this chapter. By engaging with these questions, you will solidify your understanding of key topics, identify areas that require further study, and build your confidence before moving on to new concepts in the next chapter.

Note

A few of the questions may not be directly related to the topics in the chapter. They aim to test your general understanding of information systems concepts instead.

The following image shows an example of the practice questions interface.

Figure 3.6: CISA practice question interface

To access the end-of-chapter questions from this chapter, follow these steps:

  1. Open your web browser and go to https://packt.link/UiKaw. You will see the following screen:
    2. ...
lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 4 of 14
Next Chapter
You have been reading a chapter from
CISA – Certified Information Systems Auditor Study Guide - Second Edition
Published in: Jun 2023Publisher: PacktISBN-13: 9781803248158
© 2023 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at €14.99/month. Cancel anytime

Author (1)

author image
Hemang Doshi

Hemang Doshi has more than 15 years of experience in the field of system audit, IT risk and compliance, internal audit, risk management, information security audit, third-party risk management, and operational risk management. He has authored several books for certification such as CISA, CRISC, CISM, DISA, and enterprise risk management.
Read more about Hemang Doshi

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages

Steps

Description

Asset identification

The first step is the identification of assets that are critical to the organization and that need to be adequately protected.

Assets can be in the form of data, hardware, software, and people.

Once assets are identified, they should...