ISACA CISA Certification Certified Information Systems Auditor Courseware Version 4.1
www.firebrandtraining.com
ISACA® Trust in, and value from, information systems
1
© 2015 Firebrand 8/25/2015
2015 CISA Review Course
Introduction
© 2015 Firebrand
2
8/25/2015
1
Welcome Welcome to an exciting course! Educational Value Exceptional learning environment Great support • Your Firebrand staff and instructor are here to answer any questions you may have
3
© 2015 Firebrand 8/25/2015
Agenda This introduction will address: • The CISA Certification • Course format • Examination format • Introduction of Attendees
© 2015 Firebrand
4
8/25/2015
2
CISA Certified Information Systems Auditor • Designed for personnel that will audit and review information systems. •Assurance that systems are designed, developed, implemented and maintained to support business needs and objectives • Tough but very good quality examination • Requires understanding of the concepts behind information systems audit – not just the definitions 5
© 2015 Firebrand 8/25/2015
CISA Exam Review Course Overview The CISA Exam is based on the CISA job practice. • The ISACA CISA Certification Committee oversees the development of the exam and ensures the currency of its content. There are five content areas that the CISA candidate is expected to know.
© 2015 Firebrand
6
8/25/2015
3
CISA Job Practice Areas The Process of Auditing Information Systems Governance and Management of IT Information Systems Acquisition, Development and Implementation Information Systems Operations, Maintenance and Support Protection of Information Assets 7
© 2015 Firebrand 8/25/2015
CISA Qualifications To earn the CISA designation, information security professionals are required to: • Successfully pass the CISA exam • Submit an Application for CISA certification •Minimum of five years information systems auditing, control or security work experience (waivers for education) • Adhere to the ISACA Code of Professional Ethics • Adherence to the CISA continuing education policy • Compliance with Information Systems Auditing Standards © 2015 Firebrand
8
8/25/2015
4
Accelerated Learning Environment This is a Firebrand Accelerated Learning Course • This is a fast paced program •Please do not miss a moment of class time •Participate in the discussions and questions • Ask questions – challenge your understanding © 2015 Firebrand
9
8/25/2015
Daily Format Lecture and Sample questions Approximately two domains per day • Domain structure •Learning Objectives •Content •Sample Questions Please note that the information in every domain overlaps with the information in other domains – during the course we will introduce topics that are expanded upon in later domains © 2015 Firebrand
10
8/25/2015
5
Course Structure Start Time Breaks Meals
End of Day End of class on last day
11
© 2015 Firebrand 8/25/2015
Logistics
Fire Escapes • Assembly point
Mobile phones / pagers
© 2015 Firebrand
12
8/25/2015
6
The Examination
13
© 2015 Firebrand 8/25/2015
Description of the Exam The exam consists of 200 multiple choice questions that cover the CISA job practice areas. Four hours are allotted for completing the exam See the Candidate Guide 2015 included in the course booklet for further details
© 2015 Firebrand
14
8/25/2015
7
Examination Job Practice Areas The exam items are based on the content within 5 information systems audit areas CISA Protection of Information Assets 30%
Information Systems Operations, Maintenance and Support 23%
Process of Auditing Information Systems 14% Governance and Management of IT 14%
Information Systems Acquisition, Development and Implementation 19%
© 2015 Firebrand
15
8/25/2015
2015 Exam Dates The exam will be administered three times in 2015 • The 1st exam date is June 13 • April 21 is deadline for registration • The 2nd exam date is Sept 12 • The 3rd exam date is Dec 12 • Many examination locations worldwide •Register at www.isaca.org
© 2015 Firebrand
16
8/25/2015
8
Examination Day Be on time!! • The doors are locked when the instructions start – approximately 30 minutes before examination start time. Bring the admission ticket (sent out prior to the examination from ISACA) and an acceptable form of original photo identification (passport, photo id or drivers license).
© 2015 Firebrand
17
8/25/2015
Completing the Examination Items • Bring several #2 pencils and an eraser • Read each question carefully • Read ALL answers prior to selecting the BEST answer • Mark the appropriate answer on the test answer sheet. •When correcting an answer be sure to thoroughly erase the wrong answer before filling in a new one. • There is no penalty for guessing. Answer every question. © 2015 Firebrand
18
8/25/2015
9
Grading the Exam Candidate scores are reported as a scaled score based on the conversion of a candidate’s raw score on an exam to a common scale. ISACA uses and reports scores on a common scale from 200 to 800. A candidate must receive a score of 450 or higher to pass. Exam results will be mailed (and emailed) out approximately 8 weeks after the exam date. Good Luck!
© 2015 Firebrand
19
8/25/2015
Introduction of Classmates
© 2015 Firebrand
20
8/25/2015
10
End of Introduction
© 2015 Firebrand
21
8/25/2015
11
ISACA® Trust in, and value from, information systems
8/25/2015
8/25/2015
1
2015 CISA Review Course
The Process of Auditing Information Systems
8/25/2015
8/25/2015
2
1
Exam Relevance Ensure that the CISA candidate… • Has the knowledge necessary to provide audit services in accordance with IT audit standards to assist the organization with protecting and controlling information systems • The content area in this chapter will represent approximately 14% of the CISA examination (approximately 28 questions).
8/25/2015
% of Total Exam Questions
Chapter 5 30%
Chapter 1 14% Chapter 2 14%
Chapter 4 23%
8/25/2015
Chapter 3 19%
3
Agenda Definition and Planning of Audit Risk Management Audit Planning
Performing the Audit Audit, Analysis and Reporting Conclusion
8/25/2015
8/25/2015
4
2
Chapter 1 Learning Objectives Develop and implement a risk-based IT audit strategy based on IT Audit standards Plan specific audits to determine whether information systems are protected, controlled and provide value to the organization Conduct audits in accordance with IT audit standards to achieve planned audit objectives
8/25/2015
8/25/2015
5
Learning Objectives (continued) Report audit findings and make recommendations to key stakeholders to communicate results and effect change when necessary Conduct follow-ups or prepare status reports to ensure appropriate actions have been taken by management in a timely manner
8/25/2015
8/25/2015
6
3
Audit Charter Audit begins with the acceptance of an Audit Charter Provides: • Authority for audit
• Responsibility • Reporting requirements Signed by Audit Committee or Senior Management
8/25/2015
8/25/2015
7
Definition of Auditing Definition of auditing • Systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting on the degree to which the assertion conforms to an identified set of standards. 8/25/2015
8/25/2015
8
4
Definition of Information Systems Auditing Definition of IS auditing • Any audit that encompasses review and evaluation (wholly or partly) of automated information processing systems, related non-automated processes and the interfaces between them.
8/25/2015
8/25/2015
9
Audit Objectives An audit compares (measures) actual activity against standards and policy Specific goals of the audit • Confidentiality • Integrity • Reliability • Availability • Compliance with legal and regulatory requirements 8/25/2015
8/25/2015
10
5
Audit Planning Involves short and long term planning (annual basis) New control issues. Changes / Upgrades to technologies.
Business process / Need/ Goals.
Auditing / Evaluation Techniques.
8/25/2015
8/25/2015
11
Audit Planning cont. Based on concerns of management or areas of higher risk • Process failures • Financial operations • Compliance requirements
8/25/2015
8/25/2015
12
6
IS Audit Resource Management Audit Program Challenges • Limited number of IS auditors • Maintenance of their technical competence • Assignment of audit staff
8/25/2015
8/25/2015
13
Types of Audits • Financial audits • Operational audits • Integrated audits
• Administrative audits • IS audits • Specialized audits • Forensic audits
8/25/2015
8/25/2015
14
7
Elements of an Audit Audit scope Audit objectives Audit Criteria Audit procedures Evidence Conclusions and opinions Reporting
8/25/2015
15
8/25/2015
Creating the Plan for an Audit
8/25/2015
1. Gather Information
2. Identify System and Components
4. Perform Risk Analysis
3. Assess Risk
5. Conduct Internal Control Review
6. Set Audit Scope and Objectives
8. Assign Resources
7. Develop Auditing Strategy
8/25/2015
16
8
Planning the Audit • Based on the scope and objective of the particular assignment • IS auditor’s concerns: • Security (confidentiality, integrity and availability)
• Quality (effectiveness, efficiency) • Fiduciary (compliance, reliability) • Service and capacity
8/25/2015
8/25/2015
17
Audit Methodology A set of documented audit procedures designed to achieve planned audit objectives • Composed of: – Statement of scope – Statement of audit objectives – Statement of audit programs • Set up and approved by the audit management • Communicated to all audit staff
8/25/2015
8/25/2015
18
9
Phases of an Audit • • • • • •
Audit subject Audit objective Audit scope Pre-audit planning Audit procedures and steps for data gathering Procedures for evaluating the test or review results • Procedures for communication with management • Audit report preparation
8/25/2015
8/25/2015
19
Audit Workpapers • Audit plans • Audit programs • Audit activities
• Audit tests • Audit findings and incidents
8/25/2015
8/25/2015
20
10
Audit Procedures • • • • • • • • • • 8/25/2015
Understanding of the audit area/subject Risk assessment and general audit plan Detailed audit planning Preliminary review of audit area/subject Evaluating audit area/subject Verifying and evaluating controls Compliance testing Substantive testing Reporting (communicating results) Follow-up
8/25/2015
21
Types of Tests for IS Controls • Use of audit software to survey the contents of data files • Assess the contents of operating system parameter files • Flow-charting techniques for documenting automated applications and business process
• Use of audit reports available in operation systems • Documentation review • Observation
8/25/2015
8/25/2015
22
11
Forensic Audits Audits specifically related to a crime or serious incident • Determine •Scope of incident
•Root cause •Personnel and systems involved Obtain and examine evidence Report for further action 8/25/2015
8/25/2015
23
Fraud Detection • Fraud detection is Management’s responsibility • Benefits of a well-designed internal control system • Deterring fraud at the first instance
• Detecting fraud in a timely manner Fraud detection and disclosure Auditor’s role in fraud prevention and detection
8/25/2015
8/25/2015
24
12
Risk- Based Auditing A Quick Review of Risk Assessment and Mitigating Controls
8/25/2015
8/25/2015
25
Definition of Risk Risk is the likelihood of a threat exploiting a vulnerability and the resulting impact on business mission Risk assessment must be based on business requirements, not solely on information systems
8/25/2015
8/25/2015
26
13
Purpose of Risk Management Risk Assessment • Identify and prioritize risk • Recommend risk-based controls Risk Mitigation • Reduce risk • Accept risk • Transfer risk • Avoid risk Ongoing assessment of risk levels and control effectiveness 8/25/2015
27
8/25/2015
Risk Management Identify Business Objectives (BO)
Identify Business Assets that Support the BO
Perform Periodic Risk Reevaluation (BO, RA, RM, RT)
Perform Risk Assess (RA) {Threat – Vulnerability – Probability – Impact]
Perform Risk Treatment (RT) [Treat existing risks not mitigated by existing controls]
Perform Risk Mitigation (RM) [Map Risks with controls in place]
8/25/2015
8/25/2015
28
14
Purpose of Risk Analysis • Identity threats and vulnerabilities • Helps auditor evaluate countermeasures / controls. • Helps auditor decide on auditing objectives. • Support Risk- Based auditing decision. • Leads to implementation of internal controls.
8/25/2015
8/25/2015
29
Why Use Risk Based Auditing • Enables management to effectively allocate limited audit resources • Ensures that relevant information has been obtained from all levels of management
• Establishes a basis for effectively managing the audit plans • Provides a summary of how the individual audit subject is related to the overall organization as well as to the business plan
8/25/2015
8/25/2015
30
15
Risk Assessment and Treatment Assessing security risks • Risk assessments should identify, quantify and prioritize risks against criteria for risk acceptance and objectives relevant to the organization • Performed periodically to address changes in: • The environment • Security requirements and when significant changes occur 8/25/2015
8/25/2015
31
Risk Assessment and Treatment cont. Treating security risks • Each risk identified in a risk assessment needs to be treated in a cost-effective manner according to its level of risk • Controls should be selected to ensure that risks are reduced to an acceptable level
8/25/2015
8/25/2015
32
16
General Controls Apply to all areas of an organization and include policies and practices established by management to provide reasonable assurance that specific objectives will be achieved.
8/25/2015
8/25/2015
33
Internal Controls • Policies, procedures, practices and organizational structures implemented to reduce risks • Classification of internal controls
8/25/2015
•
Preventive controls
•
Detective controls
•
Corrective controls
8/25/2015
34
17
Areas of Internal Control Internal control system • Internal accounting controls • Operational controls • Administrative controls
8/25/2015
8/25/2015
35
IS Controls Versus Manual Controls Internal control objectives apply to all areas, whether manual or automated. Therefore, conceptually, control objectives in an IS environment remain unchanged from those of a manual environment.
8/25/2015
8/25/2015
36
18
IS Controls • Strategy and direction
• General organization and management • Access to IT resources, including data and programs • Systems development methodologies and change control • Operations procedures • Systems programming and technical support functions
8/25/2015
8/25/2015
37
IS Controls cont. • Quality assurance procedures • Physical access controls • Business continuity/disaster recovery planning • Networks and communications • Database administration • Protection and detective mechanisms against internal and external attacks
8/25/2015
8/25/2015
38
19
Internal Control Objectives Internal control objectives • • • • • • • • • • 8/25/2015
Safeguarding of IT assets Compliance to corporate policies or legal requirements Input Authorization Accuracy and completeness of processing of data input/transactions Output Reliability of process Backup/recovery Efficiency and economy of operations Change management process for IT and related systems 8/25/2015
39
Assessing and Implementing Countermeasures • Cost
• Assess management’s tolerance for risk • Effectiveness at mitigating Risk
8/25/2015
8/25/2015
40
20
Performing an Audit Risk Assessment Identify • Business risks • Technological risks
• Operational risks
8/25/2015
8/25/2015
41
A Risk Based Audit Approach
8/25/2015
8/25/2015
42
21
Risk-based Auditing Gather Information and Plan; •Knowledge of business and industry •Prior year’s audit results •Recent financial information •Regulatory statutes •Inherent risk assessments Obtain Understanding of Internal Control; •Control environment •Control procedures •Detection risk assessment •Control risk assessment •Equate total risk
8/25/2015
8/25/2015
43
Risk-based Auditing Perform Compliance Tests; •Identify key controls to be tested •Perform tests on reliability, risk prevention, and adherence to organizational policies and procedures Perform Substantive Tests; •Analytical procedures •Detailed tests of account balances •Other substantive audit procedures Conclude the Audit; •Create recommendations •Write audit report 8/25/2015
8/25/2015
44
22
Audit Planning
8/25/2015
8/25/2015
45
Audit Planning Audit planning steps • Gain an understanding of the business’s mission, objectives, purpose and processes • Identify stated contents (policies, standards, guidelines, procedures, and organization structure) • Evaluate risk assessment and privacy impact analysis • Perform a risk analysis
8/25/2015
8/25/2015
46
23
Audit Planning cont. • Conduct an internal control review • Set the audit scope and audit objectives • Develop the audit approach or audit strategy • Assign personnel resources to audit and address engagement logistics
8/25/2015
8/25/2015
47
Effect of Laws and Regulations on IS Audit Planning Regulatory requirements • Adequate controls • Privacy
• Responsibilities • Oversight and Governance • Protection of assets • Financial Management • Correlation to financial, operational and IT audit functions
8/25/2015
8/25/2015
48
24
Performing the Audit
8/25/2015
8/25/2015
49
ISACA IT Audit and Assurance Tools and Techniques • Procedures developed by the ISACA Standards Board provide examples of possible processes an IS auditor might follow in an audit engagement • The IS auditor should apply their own professional judgment to the specific circumstances
8/25/2015
8/25/2015
50
25
ISACA IT Audit and Assurance Standards Framework Framework for the ISACA IS Auditing Standards: • Standards • Guidelines • Procedures
8/25/2015
8/25/2015
51
Relationship Among Standards, Guidelines and Tools and Techniques Standards • Must be followed by IS auditors
Guidelines • Provide assistance on how to implement the standards
Tools and Techniques • Provide examples for implementing the standards
8/25/2015
8/25/2015
52
26
ISACA IT Audit and Assurance Standards Framework cont. S1 Audit Charter S2 Independence S3 Ethics and Standards S4 Competence S5 Planning S6 Performance of audit work S7 Reporting S8 Follow-up activities S9 Irregularities and illegal acts S10 IT Governance S11 Use of risk assessment in audit planning S12 Audit materiality S13 Using the Work of Other Experts S14 Audit Evidence S15 IT Controls S16 E-commerce 8/25/2015
8/25/2015
53
Evidence It is a requirement that the auditor’s conclusions be based on sufficient, competent evidence: • Independence of the provider of the evidence • Qualification of the individual providing the information
or evidence • Objectivity of the evidence • Timing of the evidence
8/25/2015
8/25/2015
54
27
Gathering Evidence Techniques for gathering evidence: • Review IS organization structures
• Review IS policies and procedures • Review IS standards
• Review IS documentation • Interview appropriate personnel • Observe processes and employee performance
8/25/2015
8/25/2015
55
Sampling
General approaches to audit sampling: • Statistical sampling
• Non-statistical sampling
8/25/2015
8/25/2015
56
28
Compliance vs. Substantive Testing • Compliance test • Determines whether controls are in compliance with
management policies and procedures
• Substantive test • Tests the integrity of actual processing
• Correlation between the level of internal controls
and substantive testing required • Relationship between compliance and substantive
tests 8/25/2015
57
8/25/2015
Testing Controls Review the system to identify controls Test compliance to determine whether controls are functioning. Evaluate the controls to determine the basis for reliance and the nature, scope and timing of substantive tests. Use two types of substantive tests to evaluate the validity of the data. Test balance and transactions 8/25/2015
8/25/2015
Perform analytic review procedures 58
29
Integrated Auditing Process whereby appropriate audit disciplines are combined to assess key internal controls over an operation, process or entity.
Operational Audit
• Focuses on risk to the organization (for an internal auditor) • Focuses on the risk of providing an incorrect or misleading audit opinion (for an external auditor)
8/25/2015
IS Audit
Financial Audit
8/25/2015
59
Using the Services of Other Auditors and Experts Considerations when using services of other auditors and experts: • Audit charter or contractual stipulations • Impact on overall and specific IS audit objectives
• Impact on IS audit risk and professional liability • Independence and objectivity of other auditors and experts
8/25/2015
8/25/2015
60
30
Using the Services of Other Auditors and Experts cont. Considerations when using services of other auditors and experts: • Professional competence, qualifications and experience • Scope of work proposed to be outsourced and approach • Supervisory and audit management controls
• Method of communicating the results of audit work • Compliance with legal and regulatory stipulations • Compliance with applicable professional standards
8/25/2015
8/25/2015
61
Audit Risk Inherent Risk Control Risk Overall Audit Risk
Detection Risk
8/25/2015
8/25/2015
62
31
Computer-assisted Audit Techniques • CAATs enable IS auditors to gather information independently • CAATs include: • Generalized audit software (GAS)
• Utility software • Debugging and scanning software • Test data • Application software tracing and mapping • Expert systems 8/25/2015
8/25/2015
63
Computer-assisted Audit Techniques cont. Features of generalized audit software (GAS): • • • •
8/25/2015
Mathematical computations Stratification Statistical analysis Sequence checking
8/25/2015
64
32
Computer-assisted Audit Techniques cont. Functions supported by GAS: • • • • •
8/25/2015
File access File reorganization Data selection Statistical functions Arithmetical functions
8/25/2015
65
Computer-assisted Audit Techniques cont. CAATs as a continuous online audit approach: • Improves audit efficiency • IS auditors must: • Develop audit techniques for use with advanced computerized systems • Be involved in the design of advanced systems to support audit requirements • Make greater use of automated tools
8/25/2015
8/25/2015
66
33
Audit Analysis and Reporting
8/25/2015
8/25/2015
67
Audit Documentation Audit documentation includes: • Planning and preparation of the audit scope and objectives • Description on the scoped audit area • Audit program • Audit steps performed and evidence gathered • Other experts used • Audit findings, conclusions and recommendations
8/25/2015
8/25/2015
68
34
Automated Work Papers • Risk analysis • Audit programs • Results
• Test evidences • Conclusions • Reports and other complementary information
8/25/2015
8/25/2015
69
Automated Work Papers cont. Minimum controls: • Access to work papers • Audit trails • Automated features to provide and record approvals • Security and integrity controls • Backup and restoration • Encryption techniques
8/25/2015
8/25/2015
70
35
Evaluation of Audit Strengths and Weaknesses Assess evidence Evaluate overall control structure Evaluate control procedures Assess control strengths and weaknesses
8/25/2015
8/25/2015
71
Communicating Audit Results Exit interview • Correct facts • Realistic recommendations • Implementation dates for agreed recommendations Presentation techniques • Executive summary • Visual presentation
8/25/2015
8/25/2015
72
36
Communicating Audit Results cont. Audit report structure and contents • Introduction to the report • Audit findings presented in separate sections • The IS auditor’s overall conclusion and opinion
• The IS auditor’s reservations with respect to the audit – audit limitations • Detailed audit findings and recommendations
8/25/2015
8/25/2015
73
Communicating Audit Results cont. Audit recommendations may not be accepted • Negotiation • Conflict resolution
• Explanation of results, findings and best practices or legal requirements
8/25/2015
8/25/2015
74
37
Management Implementation of Audit Recommendations • Ensure that accepted recommendations are implemented as per schedule • Auditing is an ongoing process • Timing a follow-up
8/25/2015
8/25/2015
75
Control Self-Assessment
• • • •
8/25/2015
A management technique A methodology In practice, a series of tools Can be implemented by various methods
8/25/2015
76
38
Objectives of CSA • Leverage the internal audit function by shifting some control monitoring responsibilities to functional areas • Enhancement of audit responsibilities, not a replacement • Educate management about control design and monitoring • Empowerment of workers to assess the control environment
8/25/2015
8/25/2015
77
Benefits of CSA • Early detection of risks • More effective and improved internal controls • Increased employee awareness of organizational objectives • Highly motivated employees • Improved audit rating process • Reduction in control cost • Assurance provided to stakeholders and customers
8/25/2015
8/25/2015
78
39
Disadvantages of CSA • Could be mistaken as an audit function replacement • May be regarded as an additional workload • Failure to act on improvement suggestions could damage employee morale
• Lack of motivation may limit effectiveness in the detection of weak controls
8/25/2015
8/25/2015
79
Auditor Role in CSA • Internal control professionals • Assessment facilitators
8/25/2015
8/25/2015
80
40
Traditional vs.CSA Approach Traditional Approach • Assigns duties/supervises staff • Policy/rule driven • Limited employee participation • Narrow stakeholder focus
CSA Approach • Empowered/accountable employees • Continuous improvement/learning curve • Extensive employee participation and training • Broad stakeholder focus
8/25/2015
8/25/2015
81
Continuous Auditing Vs. Continuous Monitoring Continuous monitoring • Provided by IS management tools • Based on automated procedures to meet fiduciary responsibilities
Continuous auditing • Audit-driven • Completed using automated audit procedures
8/25/2015
8/25/2015
82
41
Continuous Auditing Distinctive character • Short time lapse between the facts to be audited and the collection of evidence and audit reporting
Drivers • Better monitoring of financial issues • Allows real-time transactions to benefit from real-time monitoring • Prevents financial fiascoes and audit scandals • Uses software to determine proper financial controls
8/25/2015
8/25/2015
83
Continuous Auditing cont. Application of continuous auditing due to: • New information technology developments • Increased processing capabilities • Standards • Artificial intelligence tools
8/25/2015
8/25/2015
84
42
Continuous Auditing cont. Advantages • Instant capture of internal control problems • Reduction of intrinsic audit inefficiencies
Disadvantages • Difficulty in implementation • High cost • Elimination of auditors’ personal judgment and evaluation
8/25/2015
8/25/2015
85
ISACA Code of Professional Ethics
The Association’s Code of Professional Ethics provides guidance for the professional and personal conduct of members of ISACA and/or holders of ISACA designations.
8/25/2015
8/25/2015
86
43
Conclusion Know • Audit Planning • Performing an Audit
• Risk as related to audit planning and performance • Ongoing Audit techniques • Ethics
8/25/2015
8/25/2015
87
44
ISACA® Trust in, and value from, information systems
1 8/25/2015
2015 CISA Review Course
IT Governance and Management of IT
2 8/25/2015
1
Exam Relevance Ensure that the CISA candidate… Understands and can provide assurance that the organization has the structure, policies, accountability mechanisms and monitoring practices in place to achieve the requirements of corporate governance of IT.
•
•
The content area in this chapter will represent approximately 14% of the CISA examination
% of Total Exam Questions
Chapter 5 30%
Chapter 1 14% Chapter 2 14%
(approximately 28 questions). Chapter 4 23%
Chapter 3 19%
3 8/25/2015
Agenda Tasks and Knowledge Statements Definition of Corporate Governance Strategic Planning and Models
Policies, Standards and Procedures
4 8/25/2015
2
Task Statements Effective Governance of IT to support the organization IT Organizational Structure • Strategy
• Policies, standards, Procedures Reporting to Management Monitoring of controls
5 8/25/2015
Task Statements cont. Resource investment and management • Contracting Performance Measurement and reporting
Risk Management strategies Business Continuity strategy • Business Impact Analysis
6 8/25/2015
3
Governance and Management of IT
7 8/25/2015
Corporate Governance Ethical corporate behaviour Governance of IT systems and assets towards the preservation of value for all stakeholders Resource management Establishment of rules to manage and report on business risks
8 8/25/2015
4
IT Governance Comprises the body of issues addressed in considering how IT is applied within the enterprise. Effective enterprise governance focuses on: • Individual and group expertise
• Experience in specific areas
Key element: alignment of business and IT
9 8/25/2015
IT Governance cont. Two issues: •
IT delivers value to the business
•
IT risks are managed
10 8/25/2015
5
Information Technology Monitoring and Assurance Practices for Management IT governance implies a system where all stakeholders provide input into the decision making process: •
Board
•
Internal customers
•
Finance
11 8/25/2015
Best Practices for IT Governance Strategic Alignment •Focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations Value Delivery •Is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising costs and improving the intrinsic value of IT. Resource Management •Is about the optimal investment in, and the proper management of, Critical IT resources: applications, information, infrastructure and people, Key issues relate to the optimisation of knowledge and infrastructure . 12 8/25/2015
6
Best Practices for IT Governance cont. Risk Management •Requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organisation.
Performance Measurement •Tracks and monitors strategy implementation, projection completion, resource usage, process performance and services delivery, using, for example, balanced scorecards that translate into action to achieve goals measurable beyond conventional accounting. 13 8/25/2015
Information Security Governance Focused activity with specific value drivers • Integrity of information • Continuity of services • Protection of information assets
Integral part of IT governance Importance of information security governance
14 8/25/2015
7
Information Security Governance Should be supported at the highest levels of the organization IS Gov. broadens scope beyond simply protection of IT system and data – integration and over all security regardless of handling, processing, transporting, or storing. Protects information assets at all times, in all forms (electronic, paper, communicated), and in all locations
15 8/25/2015
Information Security Governance Exposure to civil and legal liability, regulators. • Provide assurance of policy compliance. Enhance business Ops continuity – lower risk : uncertainty. Foundation for risk management, process enhanced and fast incident response procedures. Optimize allocation of the limited security resources as well as procurement process. Ensuring that important decisions are made on accurate data.
16 8/25/2015
8
Result Of Security Governance Strategic link to business / Organization Objectives. Overall risk management. Optimize investments.
Management of resources. Report on performance / results. Process integration 17 8/25/2015
Strategic Planning and Models
18 8/25/2015
9
IS Strategy Strategic Planning. Steering committee role. Primary strategic functions
19 8/25/2015
Strategic Enterprise Architecture Plans Involves documenting an organization’s IT assets in a structured manner to facilitate understanding, management and planning for IT investments Often involves both a current state and optimized future state representation
20 8/25/2015
10
IT Strategy Committee The creation of an IT strategy committee is an industry best practice Committee should broaden its scope to include not only advice on strategy when assisting the board in its IT governance responsibilities, but also to focus on IT value, risks and performance
21 8/25/2015
Standard IT Balanced Scorecard A process management evaluation technique that can be applied to the IT governance process in assessing IT functions and processes Method goes beyond the traditional financial evaluation One of the most effective means to aid the IT strategy committee and management in achieving IT and business alignment
22 8/25/2015
11
Enterprise Architecture cont. The Basic Zachman Framework Data
Functional
Network
People
Process
Strategy
Scope Enterprise Model Systems Model Technology Model Detailed Representation
23 8/25/2015
Enterprise Architecture cont. The Federal Enterprise Architecture (FEA) hierarchy: • Performance • Business • Service component • Technical • Data
24 8/25/2015
12
Maturity and Process Improvement Models • • • •
IDEAL model Capability Maturity Model Integration (CMMI) Team Software Process (TSP) Personal Software Process (PSP)
25 8/25/2015
IT Investment and Allocation Practices Financial benefits – impact on budget and finances Nonfinancial benefits – impact on operations or mission performance and results
26 8/25/2015
13
Auditing IT Governance Structure and Implementation Indicators of potential problems include: Unfavorable end-user attitudes Excessive costs Budget overruns Late projects High staff turnover Inexperienced staff Frequent hardware/software errors
27 8/25/2015
Policies, Standards and Procedures
28 8/25/2015
14
Policies and Procedures Reflect management guidance and direction in developing controls over: •
Information systems
•
Related resources
•
IS department processes
29 8/25/2015
Policies High level documents Must be clear and concise Set tone for organization as a whole (top down)
Lower-level policies – defined by individual divisions and departments
30 8/25/2015
15
Policies cont. Information Security Policy Defines information security, overall objectives and scope Statement of management intent
Framework for setting control objectives including risk management Defines responsibilities for information security management • Acceptable Use Policy 31 8/25/2015
Procedures Procedures are detailed documents that describe the steps a person must follow when undertaking an activity: Define and document implementation policies Must be derived from the parent policy Must implement the spirit (intent) of the policy statement Must be written in a clear and concise manner 32 8/25/2015
16
Standards Audits measure compliance with standards of: • Operational procedures • Best practices • Consistency of performance
33 8/25/2015
Risk Management
34 8/25/2015
17
Risk Management Process IT risk management needs to operate at multiple levels including: The operational level The project level The strategic level
35 8/25/2015
Risk Analysis Methods Qualitative Semi quantitative Quantitative • Probability and expectancy • Single Loss Expectancy • Annual loss expectancy method
36 8/25/2015
18
Risk Mitigation
Eliminate
Avoid
RISK Accept
Mitigate
Transfer
37 8/25/2015
Resource Management
38 8/25/2015
19
Organization of the IT Function The auditor must assess whether the IT department is correctly: • • • •
Funded Aligned with business needs Managed Staffed (skills)
39 8/25/2015
IS Roles and Responsibilities Systems development manager
Project management Service Desk (help desk) End user End user support manager Data management Quality assurance manager Information security manager 40 8/25/2015
20
IS Roles and Responsibilities cont. Vendor and outsourcer management Infrastructure operations and maintenance Media management Data entry Systems administration Security administration Quality assurance Database administration 41 8/25/2015
IS Roles and Responsibilities cont. Systems analyst Security architect Applications development and maintenance
Infrastructure development and maintenance Network management
42 8/25/2015
21
Segregation of Duties Within IS Avoids possibility of errors or misappropriations Discourages fraudulent acts Limits access to data
43 8/25/2015
Segregation of Duties Controls Control measures to enforce segregation of duties include: • Transaction authorization • Custody of assets • Access to data •Authorization forms •User authorization tables
44 8/25/2015
22
Segregation of Duties Controls cont. Compensating controls for lack of segregation of duties include: • Audit trails • Reconciliation
• Exception reporting • Transaction logs • Supervisory reviews • Independent reviews 45 8/25/2015
Human Resource Management Hiring Employee handbook Promotion policies
Training Scheduling and time reporting Employee performance evaluations Required vacations Termination policies 46 8/25/2015
23
Sourcing Practices Sourcing practices relate to the way an organization obtains the IS function required to support the business Organizations can perform all IS functions inhouse or outsource all functions across the globe Sourcing strategy should consider each IS function and determine which approach (insourcing or outsourcing) allows the IS function to meet the organization’s goals
47 8/25/2015
Management of IT Functional Operations
48 8/25/2015
24
Organizational Change Management What is change management?
Managing changes to the organization’s: • Projects • Systems • Technology • Configurations Identify and apply technology improvements at the infrastructure and application level 49 8/25/2015
Change Management cont. All changes must be documented, approved and tested All changes must be performed correctly and monitored for successful execution
Changes must not degrade system security or performance
50 8/25/2015
25
Quality Management Software development, maintenance and implementation Acquisition of hardware and software Day-to-day operations Service management Security Human resource management General administration
51 8/25/2015
Performance Optimization Performance measures indicate the quality of the IT program • Measures should be set to evaluate services critical to business success There are generally five ways to use performance measures: 1. Measure products/services 2. Manage products/services 3. Ensure accountability 4. Make budget decisions 5. Optimize performance 52
8/25/2015
26
Reviewing Documentation The following documents should be reviewed: IT strategies, plans and budgets Security policy documentation Organization/functional charts Job descriptions Steering committee reports System development and program change procedures Operations procedures Human resource manuals Quality assurance procedures 53 8/25/2015
Reviewing Contractual Commitments There are various phases to computer hardware, software and IS service contracts, including: Development of contract requirements and service levels Contract bidding process Contract selection process Contract acceptance Contract maintenance Contract compliance
54 8/25/2015
27
Business Continuity Planning
55 8/25/2015
Business Continuity Planning Business continuity planning (BCP) is a process designed to reduce the organization’s business risk A BCP is much more than just a plan for the information systems
56 8/25/2015
28
IS Business Continuity Planning IS processing is of strategic importance • Critical component of overall BCP
• Most key business processes depend on the availability of key systems and infrastructure components
57 8/25/2015
Disasters and Other Disruptive Events Disasters are disruptions that cause critical information resources to be inoperative for a period of time
Good BCP will take into account impacts on IS processing facilities
58 8/25/2015
29
Business Continuity Planning Process
59 8/25/2015
Business Continuity Policy Defines the extent and scope of business continuity for both internal and external stakeholders Should be proactive
60 8/25/2015
30
Business Continuity Planning Incident Management All types of incidents should be categorized • Negligible • Minor • Major • Crisis
61 8/25/2015
Business Impact Analysis Critical step in developing the business continuity plan Three main questions to consider during BIA phase: 1. What are the different business processes? 2. What are the critical information resources related to an organization’s critical business processes? 3. What is the critical recovery time period for information resources in which business processing must be resumed before significant or unacceptable losses are suffered?
62 8/25/2015
31
Business Impact Analysis cont. What is the system’s risk ranking? Critical Vital Sensitive Non-sensitive
63 8/25/2015
Development of Business Continuity Plans Factors to consider when developing the plans Pre-disaster readiness covering incident response management to address all relevant incidents affecting business processes Evacuation procedures Procedures for declaring a disaster (escalation procedures) Circumstances under which a disaster should be declared.
64 8/25/2015
32
Development of Business Continuity Plans Factors to consider when developing the plans The clear identification of the responsibilities in the plan The clear identification of the persons responsible for each function in the plan The clear identification of contract information The step-by-step explanation of the recovery process The clear identification of the various resources required for recovery and continued operation of the organization
65 8/25/2015
Other Issues in Plan Development Management and user involvement is vital to the success of BCP • Essential to the identification of critical systems, recovery times and resources
• Involvement from support services, business operations and information processing support
Entire organization needs to be considered for BCP
66 8/25/2015
33
Components of a Business Continuity Plan A business continuity plan may consist of more than one plan document • Continuity of operations plan (COOP) • Disaster recovery plan (DRP) • Business resumption plan • Continuity of support plan / IT contingency plan • Crisis communications plan • Incident response plan • Transportation plan • Occupant emergency plan (OEP) • Evacuation and emergency relocation plan
67
8/25/2015
Components of a Business Continuity Plan cont. Components of the plan • Key decision-making personnel • Backup of required supplies • Insurance
68 8/25/2015
34
Insurance Insurance IS equipment and facilities Media (software) reconstruction Extra expense
Business interruption Valuable papers and records Errors and omissions Fidelity coverage Media transportation
69
8/25/2015
Plan Testing Schedule testing at a time that will minimize disruptions to normal operations Test must simulate actual processing conditions Test execution: • Documentation of results • Results analysis • Recovery / continuity plan maintenance
70 8/25/2015
35
Summary of Business Continuity Business continuity plan must: • Be based on the long-range IT plan • Comply with the overall business continuity strategy
71 8/25/2015
Summary of Business Continuity and Disaster Recovery cont. Process for developing and maintaining the BCP/DRP • Conduct risk assessment • Prepare business impact analysis • Choose appropriate controls and measures for recovering IT components to support the critical business processes • Develop the detailed plan for recovering IS facilities (DRP). • Develop a detailed plan for the critical business functions to continue to operate at an acceptable level (BCP). • Test the plans • Maintain the plans as the business changes and systems develop.
72 8/25/2015
36
Auditing Business Continuity Understand and evaluate business continuity strategy Evaluate plans for accuracy and adequacy Verify plan effectiveness Evaluate offsite storage Evaluate ability of IS and user personnel to respond effectively Ensure plan maintenance is in place Evaluate readability of business continuity manuals and procedures 73 8/25/2015
Reviewing the Business Continuity Plan IS auditors should verify that the plan is up to date including: • Currency of documents • Effectiveness of documents • Interview personnel for appropriateness and completeness of plan
74 8/25/2015
37
Evaluation of Prior Test Results IS auditors must review the test results to: • Determine whether corrective actions are in the plan • Evaluate thoroughness and accuracy • Determine problem trends and resolution of problems
75 8/25/2015
Evaluation of Offsite Storage An IS auditor must: • Evaluate presence, synchronization and currency of media and documentation • Perform a detailed inventory review • Review all documentation • Evaluate availability of facility
76 8/25/2015
38
Interviewing Key Personnel Key personnel must have an understanding of their responsibilities Current detailed documentation must be kept
77 8/25/2015
Evaluation of Security at Offsite Facility An IS auditor must: • Evaluate the physical and environmental access controls • Examine the equipment for current inspection and calibration tags
78 8/25/2015
39
Reviewing Alternative Processing Contract An IS auditor should obtain a copy of the contract with the vendor The contract should be reviewed against a number of guidelines • Contract is clear and understandable
• Organization’s agreement with regulations
79 8/25/2015
Reviewing Insurance Coverage Insurance coverage must reflect actual cost of recovery Coverage of the following must be reviewed for adequacy • Media damage • Business interruption • Equipment replacement • Business continuity processing 80 8/25/2015
40
End of Domain
81 8/25/2015
41
ISACA® Trust in, and value from, information systems
1 8/25/2015
2015 CISA Review Course
Chapter 3 Information Systems Acquisition, Development and Implementation
2 8/25/2015
1
Exam Relevance Ensure that the CISA candidate… •
Understands and can provide assurance that the practices for the acquisition, development, testing and implementation of information systems meet the enterprise’s strategies and objectives.
•
The content area in this chapter will represent approximately 19% of the CISA examination (approximately 38 questions).
% of Total Exam Questions
Chapter 5 30%
Chapter 1 14% Chapter 2 14%
Chapter 4 23%
Chapter 3 19%
3 8/25/2015
Agenda Learning Objectives Program and Project Management Systems Development Models
Types of Specialized Business Applications Acquisition Change Control
4 8/25/2015
2
Learning Objectives Evaluate Business Case for IT project approval • Feasibility, meets business objectives Evaluate project management practices and controls
• Cost-effective, meets business objectives Conduct project reviews • On schedule, budget, deliverables, documentation 5 8/25/2015
Learning Objectives cont. Ensure controls are built into systems during requirements, acquisition, development, and testing phases Evaluate readiness of the system for implementation and migration into production Conduct post-implementation reviews to ensure project and business objectives are met
6 8/25/2015
3
Program and Project Management
7 8/25/2015
Portfolio/Program Management A program is a group of projects and time-bound tasks that are closely linked together through common objectives, a common budget, intertwined schedules and strategies
Programs have a limited time frame (start and end date) and organizational boundaries
8 8/25/2015
4
Portfolio/Program Management (continued) The objectives of project portfolio management are: • Optimization of the results of the project portfolio • Prioritizing and scheduling projects
• Resource coordination (internal and external) • Knowledge transfer throughout the projects
9 8/25/2015
Business Case Development and Approval A business case: • Provides the information required for an organization to decide whether a project should proceed
• Is normally derived from a feasibility study as part of project planning • Should be of sufficient detail to describe the justification for setting up and continuing a project 10 8/25/2015
5
Benefits Realization Techniques Benefits realization requires: •
Describing benefits management or benefits realization
•
Assigning a measure and target
•
Establishing a tracking/measuring regime
•
Documenting the assumption
•
Establishing key responsibilities for realization
•
Validating the benefits predicted in the business
•
Planning the benefit that is to be realized 11
8/25/2015
General IT Project Aspects IS projects may be initiated from any part of an organization A project is always a time-bound effort Project management should be a business process of a project-oriented organization The complexity of project management requires a careful and explicit design of the project management process
12 8/25/2015
6
Project Context and Environment A project context can be divided into a time and social context. The following must be taken into account: • Importance of the project in the organization • Connection between the organization’s strategy and the project • Relationship between the project and other projects • Connection between the project to the underlying business case 13 8/25/2015
Project Organizational Forms Three major forms of organizational alignment for project management are: • Influence project organization • Pure project organization • Matrix project organization
14 8/25/2015
7
Project Communication Depending on the size and complexity of the project and the affected parties, communication may be achieved by: • One-on-one meetings • Kick-off meetings • Project start workshops • A combination of the three
15 8/25/2015
Project Objectives A project needs clearly defined results that are specific, measurable, achievable, relevant and time-bound (SMART) A commonly accepted approach to define project objectives is to begin with an object breakdown structure (OBS) After the OBS has been compiled, a work breakdown structure (WBS) is designed
16 8/25/2015
8
Roles and Responsibilities of Groups and Individuals Senior management User management Project steering committee Project sponsor Systems development management Project manager Systems development project team User project team Security officer Quality assurance
17
8/25/2015
Project Management Practices Project management is bound by the iron triangle • Schedule
Resources
• Resources
• Scope Scope
Schedule
Changing any one element will invariably change the other two
18 8/25/2015
9
Project Planning The project manager needs to determine: •
The various tasks that need to be performed to produce the expected business application system
•
The sequence or the order in which these tasks need to be performed
•
The duration or the time window for each task
•
The priority of each task
•
The IT resources that are available and required to perform these tasks
•
Budget or costing for each of these tasks
•
Source and means of funding
19
8/25/2015
Project Planning cont. Software size estimation Lines of source code Function point analysis • FPA feature points • Cost budgets • Software cost estimation Scheduling and establishing the time frame Critical path methodology • Gantt Chart • PERT • Time box management 20 8/25/2015
10
General Project Management Involves automated techniques to handle proposals and cost estimations, and to monitor, predict and report on performance with recommended action items Many of these techniques are provided as decision support systems (DSS) for planning and controlling project resources
21 8/25/2015
Project Controlling Includes management of: • Scope • Resource usage • Risk •Inventory •Assess •Mitigate •Discover •Review & evaluate 22 8/25/2015
11
Project Risk The CISA must review the project for risks that the project will not deliver the expected benefits: • Scope creep • Lack of skilled resources • Inadequate requirements definition • Inadequate testing • Push to production without sufficient allotted time 23 8/25/2015
Closing a Project When closing a project, there may still be some issues that need to be resolved, ownership of which needs to be assigned The project sponsor should be satisfied that the system produced is acceptable and ready for delivery Custody of contracts may need to be assigned, and documentation archived or passed on to those who will need it 24 8/25/2015
12
Systems Development Models (SDLC)
25 8/25/2015
Business Application Development The implementation process for business applications, commonly referred to as an SDLC, begins when an individual application is initiated as a result of one or more of the following situations: • A new opportunity that relates to a new or existing business process • A problem that relates to an existing business process • A new opportunity that will enable the organization to take advantage of technology • A problem with the current technology 26 8/25/2015
13
Traditional SDLC Approach Also referred to as the waterfall technique, this life cycle approach is the oldest and most widely used for developing business applications Based on a systematic, sequential approach to software development that begins with a feasibility study and progresses through requirements definition, design, development, implementation and post implementation
27 8/25/2015
Traditional SDLC Approach cont. Some of the problems encountered with this approach include: • Unanticipated events • Difficulty in obtaining an explicit set of requirements from the user • Managing requirements and convincing the user about the undue or unwarranted requirements in the system functionality • The necessity of user patience • A changing business environment that alters or changes the user’s requirements before they are delivered 28 8/25/2015
14
Traditional SDLC Approach cont. Feasibility
Requirements
Design
Implement
Configuration
Selection Development
Post – Implementation 29 8/25/2015
Requirements Definition Need to understand business requirements • May involve helping the business to understand their needs • Trace business requirements to systems requirements • Justify systems solutions based on stated business requirements
30 8/25/2015
15
Business Process Reengineering and Process Change Projects
31 8/25/2015
Business Process Reengineering and Process Change Projects cont. BPR methods and techniques • Benchmarking process
32 8/25/2015
16
Risks Associated with Software Development Business risk relating to the likelihood that the new system may not meet the users’ business needs, requirements and expectations Potential risks that can occur when designing and developing software systems:
• Within the project • With suppliers • Within the organization • With the external environment 33 8/25/2015
Use of Structured Analysis, Design and Development Techniques Closely associated with the traditional, classic SDLC approach Techniques provide a framework for representing the data and process components of an application using various graphical notations at different levels of abstraction, until it reaches the abstraction level that enables programmers to code the system
34 8/25/2015
17
Alternative Development Methods Many new software development approaches have emerged. Traditional waterfall model is being replaced along with some revolutionary thinking. IS auditing may encounter the following. Incremental
Evolutionary Agile Development
Iterative
Spiral
35 8/25/2015
Agile Development Agile development refers to a family of similar development processes that espouse a nontraditional way of developing complex systems. Agile development processes have a number of common characteristics, including: • The use of small, time-boxed subprojects or iterations • Re-planning the project at the end of each iteration • Relatively greater reliance on tacit knowledge • Heavy influence on mechanisms to effectively disseminate tacit knowledge and promote teamwork • A change in the role of the project manager 36 8/25/2015
18
Agile Development Image available – http://www.gettingagile.com/wp-content/uploads/2009/05/scrumframework.png
37 8/25/2015
Prototyping The process of creating a system through controlled trial and error procedures to reduce the level of risks in developing the system Reduces the time to deploy systems primarily by using faster development tools such as fourthgeneration techniques Potential risk is that the finished system will have poor controls Change control often becomes more complicated 38 8/25/2015
19
Rapid Application Development Concept Definition
Functional Design
Development
Deployment
39 8/25/2015
Other Alternative Development Methods Data – Oriented (DOSD) Object – Oriented (OOSD) Component – Based (DCOME, COBRA, RMI, MTS, MJB). Web Based (XML, SOAP) Reverse engineering
40 8/25/2015
20
Computer-aided Software Engineering Case involves automated tools: Upper, Middle, Lower. Available for mainframe and mini/ micro computers. Enforce uniform approach to system developer, enable storage & document retrieval, automate system design data. Auditor may even use case tool him/ herself.
41 8/25/2015
Fourth-generation Languages Common characteristics of 4GLs include: • Nonprocedural language • Environmental independence (portability) • Software facilities • Programmer workbench concepts • Simple language subsets 4GLs are classified as: • Query and report generators • Embedded database 4GLs • Relational database 4GLs • Application generators 42 8/25/2015
21
Types of Specialized Business Applications
43 8/25/2015
Electronic Commerce E-commerce risks: • Confidentiality • Integrity
• Availability • Authentication and non-repudiation • Power shift to customers It is important to take into consideration the importance of security issues that extend beyond confidentiality objectives 44 8/25/2015
22
Electronic Data Interchange The benefits associated with the adoption of EDI include: • Less paperwork • Fewer errors during the exchange of information • Improved information flow, database-to-database and company-to-company • No unnecessary rekeying of data • Fewer delays in communication • Improved invoicing and payment processes 45 8/25/2015
Electronic Mail At the most basic level, the e-mail process can be divided into two principal components: • Mail servers, which are hosts that deliver, forward and store mail
• Clients, which interface with users and allow users to read, compose, send and store e-mail messages
46 8/25/2015
23
Electronic Banking Banks should have a risk management process to enable them to identify, measure, monitor and control their technology risk exposure Risk management of new technologies has three essential elements: • Risk management is the responsibility of the board of directors and senior management • Implementing technology is the responsibility of IT senior management members • Measuring and monitoring risk is the responsibility of members of operational management 47 8/25/2015
Electronic Finance Advantages of e-finance to consumers include: • Lower costs • Increased breadth and quality
• Widening access to financial services • A-synchrony (time-decoupled) • A-topy (location-decoupled)
48 8/25/2015
24
Electronic Funds Transfer Electronic funds transfer (EFT) is the exchange of money via telecommunications without currency actually changing hands Allows parties to move money from one account to another, replacing traditional check writing and cash collection procedures Usually function via an internal bank transfer from one party’s account to another or via a clearinghouse network 49 8/25/2015
Automated Teller Machine Recommended internal control guidelines for ATMs include: • Written policies and procedures covering personnel, security controls, operations, settlement, balancing, etc. • Procedures for PIN issuance and protection during storage • Procedures for the security of PINs during delivery • Controls over plastic card procurement • Controls and audit trails of the transactions that have been made at the ATM 50 8/25/2015
25
Artificial Intelligence and Expert Systems Artificial intelligence is the study and application of the principles by which: • Knowledge is acquired and used • Goals are generated and achieved • Information is communicated • Collaboration is achieved • Concepts are formed • Languages are developed
51 8/25/2015
Business Intelligence Business intelligence (BI) is a broad field of IT that encompasses the collection and dissemination of information to assist decision making and assess organizational performance Some typical areas in which BI is applied include:
• Process cost, efficiency and quality • Customer satisfaction with product and service offerings • Customer profitability • Staff and business unit achievement of KPIs • Risk management 52 8/25/2015
26
Decision Support System A decision support system (DSS) is an interactive system that provides the user with easy access to decision models and data from a wide range of sources, to support semi structured decisionmaking tasks typically for business purposes
53 8/25/2015
Decision Support System cont. A principle of DSS design is to concentrate less on efficiency and more on effectiveness A DSS is often developed with a specific decision or well-defined class of decisions to solve
Frameworks are generalizations about a field that help put many specific cases and ideas into perspective • G. Gorry-M.S. Morton framework • Sprague-Carson framework 54 8/25/2015
27
Decision Support System cont. Prototyping is the most popular approach to DSS design and development It is difficult to implement a DSS because of its discretionary nature
55 8/25/2015
Decision Support System cont. Developers should be prepared for eight implementation risk factors: • Nonexistent or unwilling users • Multiple users or implementers
• Disappearing users, implementers or maintainers • Inability to specify purpose or usage patterns in advance • Inability to predict and cushion impact on all parties • Lack or loss of support • Lack of experience with similar systems • Technical problems and cost-effectiveness issues 56 8/25/2015
28
Decision Support System cont. The DSS designer and user should use broad evaluation criteria, including: • Traditional cost-benefit analysis • Procedural changes, more alternatives examined, less time consumer in making the decision • Evidence of improvement in decision making • Changes in the decision process
57 8/25/2015
Acquisition
58 8/25/2015
29
Infrastructure Development / Acquisition Practices Analysis of present infrastructure leads to new design, techniques, procedures, training. Under umbrella of business continuity, legacy hw/sw, data conversion: Translation, 24 x 7 availability.
Goals: Reduce costs, increase profitability, improve functionality , minimized impact, confidentiality- integrity- availability, afield, progressive migration and implementation Procurement
Delivery Time
Installation Plan
Test Installation
59 8/25/2015
Project Phases of Physical Architecture Analysis
60 8/25/2015
30
Hardware Acquisition Organization type Requirement for data processing. Hardware requirements. System software application. Support system. Adaptability needs. Constraint. Conversion needs. 61 8/25/2015
System Software Acquisition Business, technical, functional, collaborative needs. Security and reliability. Cost and benefits. Obsolescence and risk.
System Compatibility. Resource allocation. Training and personnel requirements. Need for scalability. Impact on present infrastructure. 62 8/25/2015
31
Auditing Systems Development, Acquisition and Maintenance An IS auditor’s tasks in system development, acquisition and maintenance include: • Determine the main components, objectives and user requirements of the system • Determine and rank the major risks to, and exposures of, the system • Identify controls to mitigate the risks to, and exposures of, the system • Monitor the system development process • Participate in post implementation reviews • Test system maintenance procedures • Evaluate the system maintenance process 63 8/25/2015
Auditing Systems Development Acquisition 1.Feasibility study 2.Requirements definition 3.Software acquisition Process
4.Design & Development 5.Testing 6.Implementation and review 7.Post-Implementation 64 8/25/2015
32
System Software Change Control Procedures Change management. •
RFC documents.
•
Testing and auditing.
•
Emergency changes.
•
Unauthorized change control. Configuration management
65 8/25/2015
Application Controls
66 8/25/2015
33
Application Controls Application controls are controls over input, processing and output functions. They include methods for ensuring that: • Only complete, accurate and valid data are entered and updated in a computer system • Processing accomplishes the correct task • Processing results meet expectations • Data are maintained 67 8/25/2015
Input/Origination Controls Input authorization Batch controls and balancing Error reporting and handling
68 8/25/2015
34
Processing Procedures and Controls Data validation and editing procedures Processing controls Data file control procedures
69 8/25/2015
Output Controls Output controls provide assurance that the data delivered to users will be presented, formatted and delivered in a consistent and secure manner
70 8/25/2015
35
Types of Output Controls Output controls include: • Logging and storage of negotiable, sensitive and critical forms in a secure place • Computer generation of negotiable instruments, forms and signatures • Report distribution • Balancing and reconciling • Output error handling • Output report retention • Verification of receipt of reports 71 8/25/2015
Business Process Control Assurance Specific matters to consider in business process control assurance are: • Process maps • Process controls
• Assessing business risks within the process • Benchmarking with best practices • Roles and responsibilities • Activities and tasks • Data restrictions 72 8/25/2015
36
Auditing Application Controls Data integrity testing • Online Transaction Processing System • The ACID principle: •Atomicity •Consistency •Isolation •Durability Continuous Online audit 73 8/25/2015
Application Testing Reasonableness checks Range checks (in range and out of range values) Stress testing
Regression testing Parallel testing Functionality testing Security assurance testing 74 8/25/2015
37
Precautions Regarding Testing Do not use sensitive production data Do not test in production Do not use production file names Ensure that all tests are completed Document the results of all tests for follow-up
75 8/25/2015
System Change Procedures and the Program Migration Process An IS auditor should consider the following: • The use of a methodology for authorizing, prioritizing and tracking system change requests from the user • Document emergency change procedures in the operations manuals • Ensure that change control is a formal procedure for the user and the development groups • Whether the change control log ensures all changes shown were resolved • User satisfaction with the turnaround of change requests • Adequacy of the security access restrictions over production source and executable modules 76 8/25/2015
38
System Change Procedures and the Program Migration Process cont. For a selection of changes on the change control log: • Determine whether changes to requirements resulted in appropriate change-development documents • Determine whether changes were made as documented • Determine whether current documentation reflects the changed environment • Evaluate the adequacy of the procedures in place for testing system changes • Review evidence to ensure that procedures are carried out as prescribed by organizational standards • Review the procedures established for ensuring executable and source code integrity
77
8/25/2015
End of Chapter Three
78 8/25/2015
39
ISACA ® Trust in, and value from, information systems
1 8/25/2015
2015 CISA Review Course
Information Systems Operations, Maintenance and Support
2 8/25/2015
1
Exam Relevance Ensure that the CISA candidate… • Understands and can provide assurance that the IT service management practices will ensure the delivery of the level of services required to meet the organization’s objectives. % of Total Exam Questions
• The content area in this chapter will represent approximately 23% of the CISA examination (approximately 46 questions)
Chapter 5 30%
Chapter 1 14% Chapter 2 14%
Chapter 4 23%
Chapter 3 19%
3 8/25/2015
Agenda Learning Objectives Auditing System Operations and Maintenance Auditing Networks
Business Continuity and Disaster Recovery Plans
4 8/25/2015
2
Learning Objectives Conduct periodic reviews of information systems Evaluate Service Level Agreements (SLAs) and third party management practices Evaluate user and operations procedures
Evaluate systems maintenance processes Ensure optimization and integrity of databases
5 8/25/2015
Learning Objectives cont. Review capacity and performance to ensure that IT meets business requirements Evaluate incident management practices Ensure that no unauthorized changes are made to IT systems Review backup procedures • Ensure disaster recover plans will enable system recovery in the event of a disaster 6 8/25/2015
3
Auditing System Operations and Maintenance Overview of Audit Areas 7 8/25/2015
Information Security Management Perform risk assessments on information assets Perform business impact analyses (BIAs) Develop & enforce information security policy, procedures, & standards Conduct security assessments on a regular basis Implement a formal vulnerability management process
8 8/25/2015
4
Information Systems Operations IS operations are in charge of the daily support of an organization’s IS hardware and software environment IS operations include: • Management of IS operations • Infrastructure support including computer operations • Technical support / help desk • Information security management 9 8/25/2015
Management of IS Operations Operations management functions include: Resource allocation Standards and procedures IS operation processes monitoring
10 8/25/2015
5
IT Service Management Service levels are auditing through review of: Exception reports System and application logs Operator problem reports Operator work schedules
11 8/25/2015
Infrastructure Operations Audit • Scheduling •Race conditions •Maintenance windows
• Job scheduling software •Mutual exclusivity •Concurrent operations and resource contention 12 8/25/2015
6
Monitoring Use of Resources Process of incident handling • Is it followed…. • Are lessons learned • Documented… Problem management • What is the mean time to clear trouble conditions Detection, documentation, control, resolution and reporting of abnormal conditions 13 8/25/2015
Support / Help Desk Document incidents that arise from users and initiate problem resolution. Prioritize the issues and forward them to the appropriate IT personnel, and escalate to IT management, as necessary. Follow up on unresolved incidents. Close out resolved incidents, noting proper authorization to close out the incident by the user. 14 8/25/2015
7
Change Management Process System, operations and program documentation Job preparation, scheduling and operating instructions System and program test
Data file conversion System conversion
15 8/25/2015
Release Management Major releases Minor software releases Emergency software fixes
16 8/25/2015
8
System and Communications Hardware
17 8/25/2015
Computer Hardware Components and Architectures Common enterprise back-end devices Print servers File servers
Application (program) servers Web servers Proxy servers Database servers Appliances (specialized devices) 18 8/25/2015
9
Computer Hardware Components and Architectures cont. Universal Serial Bus (USB) Memory cards / flash drives Radio Frequency Identification (RFID)
19 8/25/2015
Security Risks with Portable Media Memory Cards / Flash Drives Risks Viruses an other malicious software Data theft Data and media loss Corruption of data Loss of confidentiality
20 8/25/2015
10
Security Controls for Portable Media Security Control Encryption Inventory of assets Educate security personnel
Enforce “lock desktop” policy Use only secure devices
21 8/25/2015
Hardware Maintenance Program Reputable service company Maintenance schedule Maintenance cost
Maintenance performance history, planned and exceptional
22 8/25/2015
11
Hardware Monitoring Procedures Monitor the effective use of hardware Availability reports Hardware error reports Utilization reports Asset management reports
23 8/25/2015
Capacity Management CPU utilization (processing power) Computer storage utilization Telecommunications, LAN & WAN bandwidth utilization I/O channel utilization
Number of users New technologies New applications Service level agreements (SLAs) • Vendor performance 24 8/25/2015
12
IS Architecture and Software Operating systems • Software control features or parameters Access control software Data communications software
Data management Database management system (DBMS) Tape and disk management system Utility programs Software licensing issues
25
8/25/2015
Operating Systems Defines user interfaces Permits users to share hardware Permits users to share data
Inform users of any error Permits recovery from system error Communicates completion of a process Allows system file management Allows system accounting management 26 8/25/2015
13
Operating Systems cont. Software control features or parameters Data management Resource management Job management Priority setting
27 8/25/2015
Access Control Software Designed to prevent: Unauthorized access to data Unauthorized use of systems functions and programs Unauthorized updates/changes to data
28 8/25/2015
14
Data Communications Software Used to transmit messages or data from one point to another Interfaces with the operating system, application programs, telecommunications systems, network control system
29 8/25/2015
Data Management File Organization: Sequential
Direct random access
30 8/25/2015
15
Database Management System DBMS architecture Detailed DBMS metadata architecture Data dictionary / directory system (DD / DS) Database structure Database controls
31 8/25/2015
Database Management System cont. Example of a database • Referential and Entity Integrity • View-based access control (most users cannot see author’s real name just the pseudonym Author P- Last Name ID
P- First Name
Real Last name
Real First Name
Sta te
Town
Agent
1
Twain
Mark
Clemens
Samuel
Mi
Biloxi
Joe
2
Herriot
James
Krant
Ian
Yk
Durham
Pete
3
Grisham
John
Grisham
John
FL
Orlando
Alan
32 8/25/2015
16
Tape and Disk Management Systems Tracks and lists tape / disk resources needed for data center processing Minimizes computer operator time and errors Improve space efficiency by consolidating fragmented free spaces Provide inventory control over tapes, identification of offsite rotation of backup media and security features to control tape access
33 8/25/2015
Utility Programs Functional areas Understanding application systems Assessing or testing data quality
Testing a program’s ability to function correctly and maintain data integrity Assisting in faster program development Improving operational efficiency
34 8/25/2015
17
Software Licensing Issues Documented policies and procedures that guard against unauthorized use or copying of software Listing of all standard, used and licensed application and system software Centralizing control and automated distribution and the installation of software Requiring that all PCs be diskless workstations and access applications from a secured LAN Regularly scanning user PCs 35 8/25/2015
Digital Rights Management DRM removes usage control from the person in possession of digital content & puts it in the hands of a computer program Prevents copying or modifying of data by unauthorized users
36 8/25/2015
18
Auditing Networks
37 8/25/2015
Network Infrastructure Telecommunications links for networks can be: Analog Digital Methods for transmitting signals over telecommunication links are: Copper Fibre Coaxial Radio Frequency 38 8/25/2015
19
Enterprise Network Architectures Today’s networks are part of a large, centrallymanaged, inter-networked architecture solution high-speed local- and wide-area computer networks serving organizations’ distributed computing environments
39 8/25/2015
Types of Networks Personal area networks (PANs) Local area networks (LANs) Wide area networks (WANS)
Metropolitan area networks (MANs) Storage area networks (SANs)
40 8/25/2015
20
Network Services E-mail services Print services Remote access services Directory services Network management Dynamic Host Configuration Protocol (DHCP) DNS 41 8/25/2015
Network Standards and Protocols Critical success factors: Interoperability Availability Flexibility Maintainability
42 8/25/2015
21
OSI Architecture ISO / OSI • Is a proof of a concept model composed of seven layers, each specifying particular specialized tasks or functions
Objective • To provide a set of open system standards for equipment manufacturers and to provide a benchmark to compare different communication systems
43 8/25/2015
OSI Architecture (continued) Functions of the layers of the ISO / OSI Model Application layer Presentation layer
Session layer Transport layer Network layer Data link layer Physical layer 44 8/25/2015
22
Application of the OSI Model in Network Architectures cont.
45 8/25/2015
Network Architectures
46 8/25/2015
23
Network Components Repeaters Hubs Bridges Switches Routers
47 8/25/2015
Communications Technologies Message switching Packet switching Circuit switching Virtual circuits • PVC Dial-up services
48 8/25/2015
24
Communications Technology cont. Point to point – leased lines X.25 Frame Relay Integrated services digital network (ISDN) Asynchronous transfer mode Multiprotocol label switching Digital subscriber lines Virtual Private Networks
49 8/25/2015
Wireless Networking Wireless networks Wireless wide area network (WWAN) • Microwave, Optical Wireless local area network (WLAN) • 802.11 Wireless personal area network (WPAN) • 802.15 Bluetooth Wireless ad hoc networks Wireless application protocol (WAP) 50 8/25/2015
25
Risks Associated with Wireless Communications Wireless access: exposures Interception of sensitive information Loss or theft of devices Misuse of devices Loss of data contained in devices Distraction caused by devices Wireless user authentication File security Wireless encryption Interoperability Use of wireless subnets Translation point 51 8/25/2015
Internet Technologies TCP / IP Internet world wide web services •
URL
•
Common gateway scripts
•
Cookie
•
Applets
•
Servlets
•
Bookmark 52
8/25/2015
26
Auditing of Network Management Network administration and control • Network performance metrics •Capacity •Errors • Network management issues
53 8/25/2015
Auditing of Applications Management Applications in a networked environment • Client-server technology • Middleware
• Cloud • Virtual • Software as a Service • Service Oriented architecture
54 8/25/2015
27
Hardware Reviews Audits of Hardware include: • Acquisition process • Configuration • Maintenance / upgrades • Operational procedures • Monitoring
55 8/25/2015
Operating System Reviews Audits of Operating Systems include: • Patch management • Configuration – hardening
• Access controls
56 8/25/2015
28
Database Reviews Audits of Databases include: • Schemas • Efficiency of processing • Security •Views •Updates • Backups • Access controls 57 8/25/2015
Network Infrastructure and Implementation Reviews Review controls over network equipment
• Physical controls • Protected cabling – conduit • Locked equipment rooms • Environmental controls • Server Rooms • Access control • Fire detection and suppression 58 8/25/2015
29
Network Infrastructure and Implementation Reviews • Logical security controls • Network User and Administrator Access & Passwords • Network Access Change Requests • Test Plans • Security Reports • Performance and monitoring
59 8/25/2015
Physical Security Audits Physical Controls • Access control •Lock and Key management
• Positive pressurization •Contaminant-free air • Humidity controls • Power supply •UPS load and maintenance 60 8/25/2015
30
Access Controls Review Logical Security Control: Questions to Consider: • Are users assigned unique passwords? • Are users required to change the passwords on a periodic basis?
• Are passwords encrypted and not displayed on the computer screen when entered? • Is network user access based on written authorization and given on a need-to-know basis and based on the individual’s responsibilities? 61 8/25/2015
Access Controls Review cont. Logical Security Control: Questions to Consider: • Are network workstations automatically disabled after a short period of inactivity? • Is remote access monitored and secure? • Are all login attempts to the system logged? • Are all activities by administrators logged?
62 8/25/2015
31
Scheduling Reviews Areas to Review: • • • • • •
Regularly scheduled applications Input deadlines Data preparation time Estimated processing time Output deadlines Procedures for collecting, reporting and analyzing key performance indicators •Are the items included in SLAs? •Are the items functioning according to the SLAs? 63
8/25/2015
Scheduling Reviews; Questions to Consider Job schedule reviews; • Have critical applications been identified and granted highest priority • Is schedule of rush/rerun jobs consistent with their assigned priority? • Do scheduling procedures facilitate optimal use of computer resources while meeting services requirements? • Do operators record jobs that are completed, to be processed and the required job completion codes? 64 8/25/2015
32
Auditing Job Scheduling Daily Job Schedule; • Are the number of personnel assigned to each shift adequate to support the workload? • Are operations procedures and schedules being followed • Do the operators record any critical activity and alert next shift to any outstanding issues
65 8/25/2015
Job Scheduling Reviews Exception handling logs; • Do operators require written or electronic approval for exceptions? • Are all exceptions documented? • Are error codes recorded • Are exception and error logs reviewed for further action
66 8/25/2015
33
Personnel Reviews Personnel; • Does the operations and administration staff have adequate training and skills • Is management providing proper oversight for operations staff • Is separation of duties enforced
67 8/25/2015
Business Continuity and Disaster Recovery Audits
68 8/25/2015
34
Auditing of Business Continuity Plans Is the plan reasonable • Does the plan reflect business priorities • Does Management support the plan Is the Business Impact Analysis (BIA) current Are regular tests being performed Are lessons learned being applied Is the plan kept up to date 69 8/25/2015
Recovery Point Objective and Recovery Time Objective Recovery Point Objective (RPO) • Based on acceptable data loss • Indicates the most current state of data that can be recovered
Recovery Time Objective (RTO) • Based on acceptable downtime • Indicates the point in time at which the business plans to resume sustainable service levels after a disaster 70 8/25/2015
35
Business Continuity Strategies Additional parameters important in defining recovery strategies • Interruption window • Service delivery objective (SDO)
• Maximum tolerable outages
71 8/25/2015
Recovery Strategies A recovery strategy is a combination of preventive, detective and corrective measures The selection of a recovery strategy would depend upon: • The criticality of the business process and the applications supporting the processes • Cost • Time required to recover • Security
72 8/25/2015
36
Recovery Alternatives Types of offsite backup facilities • Cold sites • Mobile sites • Warm sites • Reciprocal agreements • Hot sites • Mirrored sites • Reciprocal agreements 73 8/25/2015
Audit of Third Party Recovery Agreements Provisions for use of third-party sites should cover: • Configurations
• Usage period
• Disaster declaration
• Communications
• Access
• Warranties
• Priority
• Audit
• Availability • Speed of availability • Subscribers per site and area
• Testing • Reliability • Security
• Preference • Insurance
74 8/25/2015
37
Organization and Assignment of Responsibilities Have recovery teams been set up to: • Retrieve critical and vital data from offsite storage • Install and test systems software and applications at the systems recovery site • Acquire and install hardware at the system recovery site • Operate the system recovery site 75 8/25/2015
Team Responsibilities Manage the disaster • Rerouting communications traffic • Reestablish the local area user/system network • Transport users to the recovery facility • Restore databases, software and data • Supply necessary office goods, i.e., special forms, paper
76 8/25/2015
38
Backup and Restoration Offsite library controls Security and control of offsite facilities Media and documentation backup Periodic backup procedures
Frequency of Rotation Types of Media and Documentation Rotated Backup Schemes Method of Rotation 77 8/25/2015
End of Domain
78 8/25/2015
39
ISACA ® Trust in, and value from, information systems
1
8/25/2015 8/25/2015
2015 Firebrand CISA Review Course
Chapter 5 – Protection of Information Assets
8/25/2015 8/25/2015
2
1
Exam Relevance Ensure that the CISA candidate… • “Understands and can provide assurance that the security architecture (policies, standards, procedures and controls) ensures the confidentiality, integrity and availability of information assets.” • The content area in this chapter will represent approximately 30% of the CISA examination (approximately 60 questions). % of Total Exam Questions Chapter 5 30%
Chapter 1 14% Chapter 2 14%
Chapter 4 23%
Chapter 3 19%
3
8/25/2015 8/25/2015
Course Agenda Learning Objectives Information Security Management Access Controls Equipment and Network Security Encryption Malware Incident Handling and Evidence
Physical and Environmental Controls 8/25/2015 8/25/2015
4
2
Chapter 5 Task Statements Evaluate the information security policies, standards and procedures for completeness and alignment with generally accepted practices Evaluate the design, implementation and monitoring of system and logical security controls Verify the confidentiality, integrity and availability of information and information systems Evaluate the design, implementation and monitoring of the data classification processes and procedures 5
8/25/2015 8/25/2015
Chapter 5 Task Statements cont. Evaluate physical access and environmental controls to determine whether information assets are adequately safeguarded Evaluate the processes and procedures used to store, retrieve, transport and dispose of information assets •
Backup media
•
Offsite storage
•
Hard copy/print data
•
Electronic data
8/25/2015 8/25/2015
6
3
Knowledge Areas The CISA candidate is expected to be familiar with auditing the controls related to: • Security Awareness • Incident handling • Identification, Authentication and Authorization • Hardware and Software-based security controls
7
8/25/2015 8/25/2015
Knowledge Areas cont. The CISA candidate is expected to be familiar with auditing the controls related to: • Virtualization • Network security • Internet protocols and security • System attacks and Malware • Intrusion detection, vulnerability scanning • Data leakage • Encryption and public key infrastructure • Social networking risks 8/25/2015 8/25/2015
8
4
Knowledge Areas cont. The CISA candidate is expected to be familiar with auditing the controls related to: • Mobile and wireless security • Voice communications • Evidence preservation (forensics) • Data classification • Physical and environmental security
9
8/25/2015 8/25/2015
Information Security Management
8/25/2015 8/25/2015
10
5
Importance of Information Security Management Security objectives to meet organization’s business requirements include: Ensure the availability, integrity and confidentiality of information and information systems Ensure compliance with laws, regulations and standards
11
8/25/2015 8/25/2015
Key Elements of Information Security Management Key elements of information security management: Senior management commitment and support Policies and procedures Organization Security awareness and education
Monitoring and compliance Incident handling and response
8/25/2015 8/25/2015
12
6
Critical Success Factors to Information Security Management Strong commitment and support by the senior management on security training Professional risk-based approach must be used systematically to identify sensitive and critical resources
13
8/25/2015 8/25/2015
Inventory and Classification of Information Assets The inventory record of each information asset should include: • Identification of assets • Relative value of assets to the organization • Location (where the asset is located) • Security / risk classification • Asset group • Owner • Designated custodian 8/25/2015 8/25/2015
14
7
Privacy Management Issues and the Role of IS Auditors Privacy impact analysis or assessments should: Pinpoint the nature of personally identifiable information (pii) associated with business processes Document the collection, use, disclosure and destruction of personally identifiable information Ensure that accountability for privacy issues exists
Set the foundation for informed policy, operations and system design decisions based on an understanding of privacy risk and the options available for mitigating that
risk 15
8/25/2015 8/25/2015
Privacy Management Issues and the Role of IS Auditors cont. Compliance with privacy policy and laws Identify and understand legal requirements regarding privacy from laws, regulations and contract agreements Check whether personal data are correctly managed in respect to these requirements Verify that the correct security measures are adopted
Review management’s privacy policy to ascertain that it takes into consideration the requirement of applicable privacy laws and regulations.
8/25/2015 8/25/2015
16
8
Social Media Risks Inappropriate sharing of information • Organizational activity • Staffing issues • Privacy-related sensitive data Installation of vulnerable applications
17
8/25/2015 8/25/2015
Access Controls
8/25/2015 8/25/2015
18
9
System Access Permission Who has access rights and to what? What is the level of access to be granted? Who is responsible for determining the access rights and access levels? What approvals are needed for access?
19
8/25/2015 8/25/2015
Mandatory and Discretionary Access Controls Mandatory • Enforces corporate security policy • Compares sensitivity of information resources Discretionary • Enforces data owner-defined sharing of information resources
8/25/2015 8/25/2015
20
10
IAAA Identification • Method to distinguish each entity in a unique manner that is accessing resources Authentication • Validate, verify or prove the identity Authorization • Rights, permissions, privileges granted to an authenticated entity Accounting (Audit) – track all activity 21
8/25/2015 8/25/2015
Authentication Knowledge • Password, passphrase Ownership / possession • Smartcard, token, key fob Characteristic
• Biometrics
8/25/2015 8/25/2015
22
11
Authorization Need to know Least privilege Mutual exclusivity Dual control Separation of duties Time limited (hours of work etc.)
23
8/25/2015 8/25/2015
Authorization Issues Access restrictions at the file level include: Read, inquiry or copy only Write, create, update or delete only Execute only A combination of the above
8/25/2015 8/25/2015
24
12
Challenges with Identity Management Many changes to systems and users Many types of users – employees, customers, guests, managers, regulators Audit concerns • Unused IDs
• Misconfigured IDs • Failure to follow procedures • Group IDs 25
8/25/2015 8/25/2015
Identification and Authentication I&A common vulnerabilities: Weak authentication methods Lack of confidentiality and integrity for the stored authentication information Lack of encryption for authentication and protection of information transmitted over a network User’s lack of knowledge on the risks associated with sharing passwords, security tokens, etc. 8/25/2015 8/25/2015
26
13
Logical Access Exposures Technical exposures include: Data leakage Wire tapping Trojan horses / backdoors Viruses Worms Logic bombs Denial-of-service attacks
Computer shutdown War driving Piggybacking Trap doors Asynchronous attacks Rounding down Salami technique
27
8/25/2015 8/25/2015
Paths of Logical Access General points of entry: Network connectivity Remote access Operator console Online workstations or terminals
8/25/2015 8/25/2015
28
14
Logical Access Control Software Prevent unauthorized access and modification to an organization’s sensitive data and use of system critical functions. General operating and/or application systems access control functions include the following: Create or change user profiles Assign user identification and authentication Apply user logon limitation rules Notification concerning proper use and access prior to initial login Create individual accountability and auditability by logging user activities. Establish rules for access to specific information resources (e.g., system-level application resources and data) Log events Report capabilities 29
8/25/2015 8/25/2015
Logical Access Control Software cont. Database and / or application-level access control functions include: Create or change data files and database profiles Verify user authorization at the application and transaction levels Verify user authorization within the application Verify user authorization at the field level for changes within a database Verify subsystem authorization for the user at the file level Log database / data communications access activities for monitoring access violations 8/25/2015 8/25/2015
30
15
Auditing Logical Access When evaluating logical access controls the IS auditor should: Identify sensitive systems and data Document and evaluate controls over potential access Test controls over access paths to determine whether they are functioning and effective Evaluate the access control environment to determine if the control objectives are achieved Evaluate the security environment to assess its adequacy
31
8/25/2015 8/25/2015
Access Control Lists Access control lists (ACLs) provide a register of: Users who have permission to use a particular system resource The types of access permitted
8/25/2015 8/25/2015
32
16
Centralized versus Decentralized Access Logical access security administration: Centralized environment Decentralized environment • Advantages of conducting security in a decentralized environment:
• Security controls are monitored frequently • Security administration is onsite at the distributed location • Security issues resolved in a timely manner 33
8/25/2015 8/25/2015
Decentralized Access Risks Risks associated with distributed responsibility for security administration: Local standards might be implemented rather than those required Levels of security management might be below what can be maintained by central administration Unavailability of management checks and audits
8/25/2015 8/25/2015
34
17
Single Sign-on (SSO) Single sign-on (SSO) • Consolidating access functions for multiple systems into a single centralized administrative function • A single sign-on interfaces with: Client-server and distributed systems o Mainframe systems o Network security including remote access mechanisms o
35
8/25/2015 8/25/2015
Single Sign-on Advantages Single sign-on (SSO) advantages: Elimination of multiple user IDs and passwords •
May select a stronger password It improves an administrator’s ability to centrally manage users’ accounts and authorizations Reduces administrative overhead
•
Greater access consistency between systems It reduces the time taken by users to log into multiple applications and platforms
8/25/2015 8/25/2015
36
18
Single Sign-on Disadvantages Single sign-on (SSO) disadvantages: May not support legacy applications or all operating environments The costs associated with SSO development can be significant
The centralized nature of SSO presents the possibility of a single point of failure and total compromise of an organization’s information assets 37
8/25/2015 8/25/2015
Familiarization with the Organization’s IT Environment Every layer of a system has to be reviewed for security controls including: The network Operating system platform Applications software
Database Physical and environmental security
8/25/2015 8/25/2015
38
19
Remote Access Remote access security: Today’s organizations require remote access connectivity to their information resources for different types of users such as employees, vendors, consultants, business partners and customer representatives. • Consolidated
• Monitored • Policies • Appropriate access levels • Encrypted 39
8/25/2015 8/25/2015
Remote Access Security Remote access security risks include: Denial of service Malicious third parties Misconfigured communications software Misconfigured devices on the corporate computing infrastructure Host systems not secured appropriately Physical security issues on remote users’ computers 8/25/2015 8/25/2015
40
20
Auditing Remote Access Assess remote access points of entry Test dial-up access controls Test the logical controls Evaluate remote access approaches for costeffectiveness, risk and business requirements
41
8/25/2015 8/25/2015
Auditing Remote Access (continued) Audit Internet points of presence: E-mail Marketing Sales channel / electronic commerce Channel of deliver for goods / services
Information gathering
8/25/2015 8/25/2015
42
21
Logging All System Access Audit logging and monitoring system access: Provides management an audit trail to monitor activities of a suspicious nature, such as a hacker attempting brute force attacks on a privileged logon ID Record all activity for future investigation
43
8/25/2015 8/25/2015
Equipment and Network Security
8/25/2015 8/25/2015
44
22
Security of Portable Media Use of approved portable devices •
PDAs
•
IPADs, IPODs, and similar units Security and Audit Issues:
•
Sensitive data stored on unsecured devices
•
Loss, theft, insecure configuration •
Passwords, encryption
45
8/25/2015 8/25/2015
Mobile Device Security Access issues with mobile technology: Control use via policy: • Restrict use of portable drives, memory • Disable USB access • Encrypt all data transported or saved by these devices
8/25/2015 8/25/2015
46
23
Storing, Retrieving, Transporting and Disposing of Confidential Information Policies required for: Backup files of databases Databases Disposal of media previously used to hold confidential information Management of equipment sent for offsite maintenance Public agencies and organizations concerned with sensitive, critical or confidential information E-token electronic keys Storage records 47
8/25/2015 8/25/2015
Concerns Associated with Storage Media Preserving information during shipment or storage: • Protect from direct sunlight, liquids, dust, magnetic fields • Encryption • Labeling
• Tracking
8/25/2015 8/25/2015
48
24
Network Infrastructure Security Communication network controls: Employ skilled administration staff Separation of duties Restrict administrator level access Record all administrator level activity Review audit trails detect any unauthorized network operations activities
49
8/25/2015 8/25/2015
Network Infrastructure Security cont. Communication network controls (continued) Create and enforce operational procedures Monitor unauthorized access or activity by administrators or other staff Ensure fast response time to trouble tickets Monitor for system efficiency
Identify all assets connecting to the network – people, processes and equipment Use data encryption to protect sensitive messages from disclosure during transmission 8/25/2015 8/25/2015
50
25
LAN Security Issues The IS auditor should identify and document: LAN topology and network design • Segmentation LAN administrator / LAN ownership • Functions performed by the LAN admin Distinct groups of LAN users Applications used on the LAN Procedures and standards relating to network design, support, naming conventions and data security 51
8/25/2015 8/25/2015
Client-server Security Control techniques in place Securing access to data or application Use of network monitoring devices Data encryption techniques Authentication systems
Use of application level access control programs Protection of end devices
8/25/2015 8/25/2015
52
26
Wireless Security Threats Unauthorized equipment Mis-configured equipment • WEP, WPA, WPA2 Radio frequency management Unauthorized access Interference and denial of service
53
8/25/2015 8/25/2015
Wireless Security Threats cont. Malicious access to WLANs: War driving War walking War chalking Passive attacks
• Sniffing
8/25/2015 8/25/2015
54
27
Audit Log Analysis Tools Tools for audit trails (logs) analysis: Audit reduction tools Trends/variance-detection tools Attack signature-detection tools
55
8/25/2015 8/25/2015
Internet Threats and Security Active attacks:
Denial of service
Brute-force attack
Penetration attacks
Masquerading
E-mail spamming
Packet replay
E-mail spoofing
Phishing
Web Application attack
Message modification
• SQL Injection
Unauthorized access through the Internet or web-based services
• Cross Site Scripting
8/25/2015 8/25/2015
• Buffer overflows 56
28
Causes of Internet Attacks Freely available tools and techniques Lack of security awareness and training Exploitation of security vulnerabilities Poor Configuration of network equipment Lack of encryption
57
8/25/2015 8/25/2015
Firewalls Firewall security systems Firewall general features Firewall types • Router packet filtering • Application firewall systems
• Stateful inspection • Proxies
8/25/2015 8/25/2015
58
29
Firewall Issues Firewall issues A false sense of security The circumvention of firewall Misconfigured firewalls Monitoring activities may not occur on a regular basis Firewall policies
59
8/25/2015 8/25/2015
Network Security Architecture Network Segmentation • Firewalls • Gateways • VLANs Screened-host firewall
Dual-homed firewall Demilitarized zone (DMZ)
8/25/2015 8/25/2015
60
30
Honeypots and Honeynets Honeypots and Honeynets Provide a distraction for hackers • May present a real environment to attack (high interaction systems) Record all activity
• Learn hacking methods and techniques
61
8/25/2015 8/25/2015
Intrusion Detection and Prevention Systems Intrusion detection system (IDS) Intrusion prevention system (IPS) Host, network or application based
8/25/2015 8/25/2015
62
31
IDS / IPS Components Sensors that are responsible for collecting data Analyzers that receive input from sensors and determine intrusive activity An administration console A user interface IDS / IPS types include: Signature-based Statistical-based Neural networks 63
8/25/2015 8/25/2015
IDS / IPS Features Intrusion detection Gathering evidence on intrusive activity Automated response Security monitoring Interface with system tolls
Security policy management
8/25/2015 8/25/2015
64
32
Voice-Over IP (VoIP) VoIP security issues: Inherent poor security • Internet architecture does not provide the same physical wire security as the phone lines (shared lines versus private lines) The key to securing VoIP • Security mechanisms such as those deployed in data networks (e.g., firewalls, encryption) to provide security • Proper configuration of equipment 65
8/25/2015 8/25/2015
Techniques for Testing Security Vulnerability Scanning Penetration testing • Internal versus external • Enumerate and attempt to exploit system vulnerabilities
• Web applications • Operating systems • Physical 8/25/2015 8/25/2015
66
33
Auditing Network Infrastructure Security Review network diagrams and implementation Evaluate compliance with applicable security policies, standards, and procedures Ensure network connections are secure and properly monitored and managed Identify possible attacks and misuse Review service level agreements (SLAs) Ensure backups are being done and tested
67
8/25/2015 8/25/2015
Encryption
8/25/2015 8/25/2015
68
34
Encryption Definition Altering data in storage or transit so that it cannot be understood by unauthorized personnel Converts a plaintext message into a form of ciphertext using a key known only to authorized personnel • Substitution • Transposition
69
8/25/2015 8/25/2015
Encryption Key elements of encryption systems • Encryption algorithm • Encryption key • Key length Private key cryptographic systems
Public key cryptographic systems
8/25/2015 8/25/2015
70
35
Symmetric Encryption Use the same (shared) key to both encrypt and decrypt a message Characteristics • Fast, Confidentiality, good for bulk message and streaming media encryption
Examples: • Advanced Encryption Standard (AES) • Data Encryption Standard (DES) 71
8/25/2015 8/25/2015
Asymmetric Algorithms
8/25/2015 8/25/2015
Mathematically related key pair • Private key kept private by owner • Public key can be distributed freely •May use certificates to distribute public keys (PKI to be seen later) Benefits • Confidentiality, access control, non-repudiation, authenticity, integrity Disadvantages – slow Examples – RSA, Diffie-Hellman, Elliptic Curve (ECC) 72
36
Hashing Algorithms Used for message integrity • Calculates a digest of the message • Can be validated by the receiver to ensure the message was not changed in transit or storage Examples: MD5, SHA-1, SHA256
73
8/25/2015 8/25/2015
Digital Signatures Digital signatures: • Data integrity • Authentication • Nonrepudiation • Replay protection
Created by signing a hash of a message with the private key of the sender
8/25/2015 8/25/2015
74
37
Digital Envelope Digital envelope: Used to send encrypted information and the relevant key along with it. The message to be sent, can be encrypted by using either:
• Asymmetric key • Symmetric key
75
8/25/2015 8/25/2015
Public Key Infrastructure (PKI) Digital certificates Certificate authority (CA) Registration authority (RA) Certificate revocation list (CRL) Certification practice statement (CPS)
8/25/2015 8/25/2015
76
38
Uses of Encryption in Communications Use of encryption in OSI protocols: Secure sockets layer (SSL) Secure Hypertext Transfer Protocol (S/HTTP) IP security SSH Secure multipurpose Internet mail extensions (S/MIME) PCI-DSS (payment card industry) 77
8/25/2015 8/25/2015
Auditing Encryption Implementations Key management • Storage •Key history and retention • Changing keys • Strong keys
• Performance • User training
8/25/2015 8/25/2015
78
39
Malware
79
8/25/2015 8/25/2015
Viruses Various types of viruses. Attack : Executable program files The file directory system, which tracks the location of all the computer’s files Boot and system areas, which are needed to start the computer Data files
8/25/2015 8/25/2015
80
40
Viruses Protection Policies Education Patch management Procedural controls Technical controls Anti-virus software implementation strategies
81
8/25/2015 8/25/2015
Other Forms of Malware Worms Trojan Horses Logic Bombs Spyware / Adware Keystroke Loggers
Botnets / Zombies
8/25/2015 8/25/2015
82
41
Incident Handling and Evidence
83
8/25/2015 8/25/2015
Security Incident Handling and Response Planning and preparation Detection Initiation Recording
Evaluation Containment
Escalation
Response Recovery Closure Reporting Post incident review Lessons learned
Eradication 8/25/2015 8/25/2015
84
42
Evidence Handling Obtain all evidence associated with an incident Chain of Custody • Protection from alteration / unauthorized access • Documented • Secure copies •Bit level images of media
85
8/25/2015 8/25/2015
Physical and Environmental Controls
8/25/2015 8/25/2015
86
43
Physical Access Issues and Exposures Unauthorized entry Damage, vandalism or theft to equipment or documents Copying or viewing of sensitive or copyrighted information or intellectual property Alteration of sensitive equipment and information Public disclosure of sensitive information Abuse of data processing resources Blackmail Embezzlement 87
8/25/2015 8/25/2015
Physical Access Issues and Exposures cont. Possible perpetrators include employees who are: Disgruntled On strike Threatened by disciplinary action or dismissal Addicted to a substance or gambling
Experiencing financial or emotional problems Notified of their termination
8/25/2015 8/25/2015
88
44
Physical Access Controls Bolting door locks Combination door locks (cipher locks) Electronic door locks Biometric door locks Manual logging Electronic logging Identification badges (photo IDs) Video cameras Security guards
Controlled visitor access Bonded personnel Deadman doors Not advertising the location of sensitive facilities Computer workstation locks Controlled single entry point Alarm system Secured report / document distribution cart Windows 89
8/25/2015 8/25/2015
Controls for Environmental Exposures Alarm control panels Water detectors Handheld fire extinguishers Manual fire alarms Smoke detectors
Fire suppression systems Strategically locating the computer room Regular inspection by fire department 8/25/2015 8/25/2015
90
45
Controls for Environmental Exposures cont. Fireproof walls, floors and ceilings of the computer room Electrical surge protectors Uninterruptible power supply / generator Emergency power-off switch
Power supply leads from two substations
91
8/25/2015 8/25/2015
Controls for Environmental Exposures cont. Wiring placed in electrical panels and conduit Restricted activity within secure areas • Access, equipment, cameras, phones Fire-resistant building materials Documented and tested emergency evacuation plans
8/25/2015 8/25/2015
92
46
Electrical Problems Power failures: Total failure (blackout) Severely reduced voltage (brownout) Sags, spikes and surges Electromagnetic interference (EMI)
93
8/25/2015 8/25/2015
Auditing Physical Access Touring the information processing facility (IPF) Testing of physical safeguards • Locks, fire equipment, access control procedures Regular tests of backup power systems
8/25/2015 8/25/2015
94
47
Practice Question 1 Which of the following BEST provides access control to data being processed on a local server? A. Logging all access to sensitive information B. Using strong passwords for sensitive transactions C. Deploying software that restricts access to authorized staff D. Restricting system access to business hours
95
8/25/2015 8/25/2015
Practice Question 2 An organization is proposing to install a single sign-on facility giving access to all systems. The organization should be aware that: A. Disclosure of a password would grant maximum unauthorized access. B. User access rights would be restricted by the additional security parameters.
C. The security administrator’s workload would increase. D. Systems may require different levels of access control 8/25/2015 8/25/2015
96
48
Practice Question 3 Which of the following is the MOST effective antivirus control? A. Scanning e-mail attachments on the mail server B. Use of virtual environments C. Disabling USB ports
D. An online antivirus scan with up-to-date virus definitions
8/25/2015 8/25/2015
97
49
ISACA ® EXAM CANDIDATE INFORMATION GUIDE 2015
ISACA Exam Candidate Information Guide
ISACA Exams 2015— Important Date Information Exam Date—13 June 2015 Exam Early registration deadline: 11 February 2015 Final registration deadline: 10 April 2015 Exam registration changes: Between 11 April and 24 April 2015, charged a US $50 fee, with no changes accepted after 24 April 2015 Refunds: By 10 April 2015, charged a US $100 processing fee, with no refunds after that date Deferrals: Requests received on or before 24 April 2015, charged a US $50 processing fee. Requests received from 25 April through 22 May 2015, charged a US $100 processing fee. After 22 May 2015, no deferrals will be permitted. All deadlines are based upon Chicago, Illinois, USA 5 p.m. CT (central time)
Exam Date—12 September 2015 Exam* Early registration deadline: 17 June 2015 Final registration deadline: 24 July 2015 * CISA and CISM only at select locations Exam registration changes: Between 25 July and 3 August, charged a US $50 fee, with no changes accepted after 3 August 2015 Refunds: By 24 July 2015, charged a US $100 processing fee, with no refunds after that date Deferrals: Requests received on or before 10 August 2015, charged a US $50 processing fee. Requests received from 11 August through 28 August 2015, charged a US $100 processing fee. After 28 August 2015, no deferrals will be permitted. All deadlines are based upon Chicago, Illinois, USA 5 p.m. CT (central time)
Exam Date—12 December 2015 Exam Early registration deadline: 19 August 2015 Final registration deadline: 23 October 2015 Exam registration changes: Between 24 October and 30 October, charged a US $50 fee, with no changes accepted after 30 October 2015 Refunds: By 23 October 2015, charged a US $100 processing fee, with no refunds after that date Deferrals: Requests received on or before 23 October 2015, charged a US $50 processing fee. Requests received from 24 October through 27 November 2015, charged a US $100 processing fee. After 27 November 2015, no deferrals will be permitted. All deadlines are based upon Chicago, Illinois, USA 5 p.m. CT (central time) Note: • The CISA Chinese Mandarin Traditional, German, Italian and Hebrew languages are only offered at the June exam. • The CISA Turkish is only offered at the June and December exams. • The CISM Japanese and Korean languages are only offered at the June exam. • Visit www.isaca.org/examlocations for a listing of the exam sites. Select the appropriate tab for June, September or December. Please contact
[email protected] for further information.
Table of Contents ISACA Certification .................................................................3 June—Important Date Information .......................................5 September—Important Date Information .............................6 December—Important Date Information ..............................7 Exam Day Information............................................................8 Post Exam Information .........................................................10 About ISACA With more than 115,000 constituents in 180 countries, ISACA® (www.isaca.org) helps business and IT leaders build trust in, and value from, information and information systems. Established in 1969, ISACA is the trusted source of knowledge, standards, networking, and career development for information systems audit, assurance, security, risk, privacy and governance professionals. ISACA offers the Cybersecurity NexusTM, a comprehensive set of resources for cybersecurity professionals, and COBIT®, a business framework that helps enterprises govern and manage their information and technology. ISACA also advances and validates business-critical skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) credentials. The association has more than 200 chapters worldwide.
ANSI Accredited Program PERSONNEL CERTIFICATION #0694 ISO/IEC 17024 CISA, CISM, CGEIT and CRISC Program Accreditation Renewed Under ISO/IEC 17024:2003 The American National Standards Institute (ANSI) has accredited the CISA, CISM, CGEIT and CRISC certifications under ISO/IEC 17024:2003, General Requirements for Bodies Operating Certification Systems of Persons. ANSI, a private, nonprofit organisation, accredits other organizations to serve as third-party product, system and personnel certifiers. ISO/IEC 17024 specifies the requirements to be followed by organizations certifying individuals against specific requirements. ANSI describes ISO/IEC 17024 as “expected to play a prominent role in facilitating global standardization of the certification community, increasing mobility among countries, enhancing public safety and protecting consumers.” ANSI’s accreditation: • Promotes the unique qualifications and expertise that ISACA certifications provide • Protects the integrity of the certifications and provides legal defensibility • Enhances consumer and public confidence in the certifications and the people who hold them • Facilitates mobility across borders or industries Accreditation by ANSI signifies that ISACA’s procedures meet ANSI’s essential requirements for openness, balance, consensus and due process. With this accreditation, ISACA anticipates that significant opportunities for CISAs, CISMs and CGEITs will continue to present themselves around the world. ISACA 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Phone: +1.847.253.1545 Fax: +1.847.253.1443 Email:
[email protected] Web site: www.isaca.org Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center Follow ISACA on Twitter: https://twitter.com/ISACANews Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial Like ISACA on Facebook: www.facebook.com/ISACAHQ Reservation of Rights Copyright © 2014 ISACA. Reproduction or storage in any form for any purpose is not permitted without ISACA’s prior written permission. No other right or permission is granted with respect to this work. All rights reserved.
2
ISACA Exam Candidate Information Guide ISACA CERTIFICATION: IS AUDIT, SECURITY, GOVERNANCE AND RISK AND CONTROL The ISACA Exam Candidate Information Guide includes candidate information about exam registration, dates, and deadlines and provides important key candidate details for exam day administration. This publication is available online at www.isaca.org/examguide The following certifications are addressed in this guide: Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT), and Certified in Risk and Information Systems Control (CRISC). A brief summary of each follows. CISA
CISM
CGEIT
CRISC
Description
The CISA designation is a globally recognized certification for IS audit control, assurance, and security professionals.
The management-focused CISM certification promotes international security practices and recognizes the individual who manages, designs, and oversees and assesses an enterprise’s information security.
CGEIT recognizes a wide range of professionals for their knowledge and application of enterprise IT governance principles and practices.
CRISC certification is designed for those experienced in the management of IT risk, and the design, implementation, monitoring and maintenance of IS controls.
Eligibility Requirements
Five (5) or more years of experience in IS audit, control, assurance, or security. Waivers are available for a maximum of three (3) years.
Five (5) or more years of experience in information security management. Waivers are available for a maximum of two (2) years.
Five (5) or more years of experience managing, serving in an advisory or oversight role, and/or otherwise supporting the governance of the IT-related contribution to an enterprise including a minimum of one year of experience relating to the definition, establishment and management of a Framework for the Governance of IT. There are no substitutions or experience waivers.
Three (3) or more years of cumulative work experience performing the tasks of a CRISC professional across at least two (2) CRISC domains, of which one must be in Domain 1 or 2, is required for certification. There are no substitutions or experience waivers.
Domains (%)
Domain 1—The Process of Auditing Information Systems (14%) Domain 2—Governance and Management of IT (14%) Domain 3—Information Systems Acquisition, Development, and Implementation (19%) Domain 4—Information Systems Operations, Maintenance and Support (23%) Domain 5—Protection of Information Assets (30%)
Domain 1—Information Security Governance (24%) Domain 2—Information Risk Management and Compliance (33%) Domain 3—Information Security Program Development and Management (25%) Domain 4—Information Security Incident Management (18%)
Domain 1: Framework for the Governance of Enterprise IT (25%) Domain 2: Strategic Management (20%) Domain 3: Benefits Realization (16%) Domain 4: Risk Optimization (24%) Domain 5: Resource Optimization (15%)
Domain 1: IT Risk Identification (27%) Domain 2: IT Risk Assessment (28%) Domain 3: Risk Response and Mitigation (23%) Domain 4: Risk and Control Monitoring and Reporting (22%)
Number of exam questions*: length of exam
200 questions: 4 hours
200 questions: 4 hours
150 questions: 4 hours
150 questions: 4 hours
Exam Languages
Chinese Mandarin Traditional** Chinese Mandarin Simplified English French German** Hebrew** Italian** Japanese Korean Spanish Turkish***
English Japanese** Korean** Spanish
English
English Spanish
* Consists of multiple choice items that cover the respective job practice areas created from the most recent job practice analysis. See page 11 for related links. ** June exam only *** June and December exam only.
3
ISACA Exam Candidate Information Guide REGISTERING FOR THE EXAM REGISTER FOR THE EXAM You can register for an ISACA exam via online registration or hard copy registration form. To place your online registration via the ISACA web site visit www.isaca.org/examreg. To register via hardcopy registration form, complete the hardcopy registration form provided at www.isaca.org/exam and fax or mail to ISACA along with your payment information. Note: Faxed/mailed registrations will incur an additional US $75 charge.
SUBMIT REGISTRATION FEES AND PAYMENT Online early registrations received on or before early registration deadline Online final registrations received by final registration deadline
ISACA member US $440 US $490
Non-ISACA member US $625 US $675
NOTE: Registration form and payment must be received on or before the early registration deadline to qualify for the early registration rate.
Notes: • The CISA Chinese Mandarin Traditional, German, Hebrew, and Italian languages will only be offered at the June exam. • The CISM Japanese and Korean languages are only offered at the June Exam. • Visit www.isaca.org/examlocations for a listing of the exam sites. Please select the appropriate tab for the June, September or December locations. Please contact
[email protected] for further information.
CONSIDER ISACA MEMBERSHIP If you are not yet an ISACA member, consider joining during the registration process and enjoy the member discount on your exam and study materials. Please visit www.isaca.org/join for detailed information on membership benefits and fees. Join Dates From 1 August 2014 to 30 May 2015 From 1 June 2015 to 31 July 2015 From 1 August 2015 to December 2015
Member Through 31 December 2015 31 December 2015 31 December 2016
Due Dates Deadlines are based on Chicago, Illinois, USA, 5 P.M. Central Time (UTC/GMT-06:00 Chicago, Illinois, USA). If not registering online, please mail or fax the registration form to ISACA. Do not do both. Submitting duplicate registrations online and/or by hard copy to ISACA may result in multiple registrations and charges. Final registration forms and payment must be postmarked or received by fax on or before the final registration date for the exam you are registering for. Both pages of the registration form must be received to complete a registration.
ACKNOWLEDGMENT OF REGISTRATION An email acknowledgement of the exam registration, exam test site and exam language will be sent to registrants shortly after the processing of the registration. Please review the exam registration details carefully and contact the ISACA certification department at
[email protected] for any corrections or changes. A receipt letter acknowledging exam registration and payment with a link to ISACA’s Exam Candidate Information Guide should be received by exam registrants within four weeks (depending on your worldwide location and local postal delivery) of the processing of the registration form and payment. We encourage exam candidates to review this Guide to familiarize themselves with exam day information and rules.
4
ISACA Exam Candidate Information Guide JUNE—IMPORTANT DATE INFORMATION Exam Date 13 June 2015 Exam Registration Changes Changes to the exam site, test language and candidate name are subject to the following charges: z On or before 10 April 2015 ................................ No charge z 11 April through 24 April 2015 .......................... US $50 No exam registration changes will be granted after 24 April 2015.
Refund and Deferrals of Fees Refund: Candidates unable to take the exam are eligible for a refund of registration fees, less a US $100 processing fee, if such a request is received in writing on or before 10 April 2015. All requests for a refund after this date will be denied. Exam candidates who have deferred their exam are not eligible for a refund of their deferral fee and associated exam payment. Deferrals: Exam registrants may elect to defer their registration to the following exam date. A deferral fee is required based on the following schedule: z On or before 24 April ......................................... US $50 z 25 April through 22 May .................................... US $100 Deferral requests will not be accepted after 22 May 2015. To request a deferral, please go to www.isaca.org/examdefer. Exam candidates who have deferred their exam are not eligible for a refund of their deferral fee and associated exam payment. Exam candidates who do not appear for the exam (or arrive too late to be admitted) are not eligible for a refund or deferral of their exam registration payment. Any candidate who has not received his/her admission ticket by 1 June 2015 should contact the ISACA certification department at
[email protected] or via phone at +1.847.660.5660.
Special Accommodations Upon request, ISACA will make reasonable accommodations in its exam procedures for candidates with documented disabilities or religious requirements. Consideration for reasonable alterations in scheduling, exam format, presentation, and allowance of food or drink at the exam site must be requested. Documented disability requests must be accompanied by a doctor’s note. Requests for a religious requirement must be accompanied by a note from the candidate’s religious leader. Unless requested and approved, no food or drink is allowed at any exam site. Requests for consideration must be submitted to ISACA International Headquarters in writing, accompanied by appropriate documentation, no later than 10 April 2015 to
[email protected].
Request for Additional Test Centers If an exam center is not available within 100 miles (160 kilometers) of the location in which a candidate wants to be tested, and if there are ten or more paid candidates who wish to enter as a group at this location, they may request that a new exam center be established. Written requests for establishment of new exam centers, including a minimum of ten paid registration forms, must be received at ISACA International Headquarters no later than 1 February 2015. While there is no guarantee that a new exam center can be arranged, every attempt will be made to provide one.
Exam locations For a complete listing of the exam sites for the June exam administration visit www.isaca.org/examlocations and select the June Exam Locations tab. All deadlines are based on Chicago, Illinois, USA, 5 p.m. Central Time (UTC/GMT-06:00 Chicago, Illinois, USA). No refunds or exchanges will be given for study aids, associated taxes, shipping and handling charges, or membership dues. Exam registration and membership fees are nontransferable.
5
ISACA Exam Candidate Information Guide SEPTEMBER—IMPORTANT DATE INFORMATION Exam Date 12 September 2015 The September exam administration is only offered for the CISA and CISM certification exams at limited exam sites.
Exam Registration Changes Changes to the exam site, test language and candidate name are subject to the following charges: z On or before 24 July 2015................................. No charge z 25 July through 3 August 2015 ......................... US $50 No exam registration changes will be granted after 3 August 2015.
Refund and Deferrals of Fees Refund: Candidates unable to take the exam are eligible for a refund of registration fees, less a US $100 processing fee, if such a request is received in writing on or before 24 July 2015. All requests for a refund after this date will be denied. Exam candidates who have deferred their exam are not eligible for a refund of their deferral fee and associated exam payment. Deferrals: Exam registrants may elect to defer their registration to the following exam date. A deferral fee is required based on the following schedule: z On or before 10 August 2015 ............................ US $50 z 11 August through 28 August 2015................... US $100 Deferral requests will not be accepted after 28 August 2015. To request a deferral, please go to www.isaca.org/examdefer. Exam candidates who have deferred their exam are not eligible for a refund of their deferral fee and associated exam payment. Exam candidates who do not appear for the exam (or arrive too late to be admitted) are not eligible for a refund or deferral of their exam registration payment. Any candidate who has not received his/her admission ticket by 15 August 2015 should contact the ISACA certification department at
[email protected] or via phone at +1.847.660.5660.
Special Accommodations Upon request, ISACA will make reasonable accommodations in its exam procedures for candidates with documented disabilities. Consideration for reasonable alterations in exam format, presentation, and allowance of food or drink at the exam site must be requested and accompanied by a doctor’s note. Unless requested and approved, no food or drink is allowed at any exam site. Requests for consideration must be submitted to ISACA International Headquarters in writing, accompanied by appropriate documentation, no later than 27 July 2015 to
[email protected].
Exam Locations For a complete listing of the exam sites for the September exam administration visit www.isaca.org/examlocations and select the September Exam Locations tab. All deadlines are based on Chicago, Illinois, USA, 5 p.m. Central Time (UTC/GMT-06:00 Chicago, Illinois, USA). No refunds or exchanges will be given for study aids, associated taxes, shipping and handling charges, or membership dues. Exam registration and membership fees are nontransferable.
6
ISACA Exam Candidate Information Guide DECEMBER—IMPORTANT DATE INFORMATION Exam Date 12 December 2015 Exam Registration Changes Changes to the exam site, test language and candidate name are subject to the following charges: z On or before 23 October .................................... No charge z 24 October through 30 October......................... US $50 No exam registration changes will be granted after 30 October 2015.
Refund and Deferrals of Fees Refund: Candidates unable to take the exam are eligible for a refund of registration fees, less a US $100 processing fee, if such a request is received in writing on or before 23 October 2015. All requests for a refund after this date will be denied. Exam candidates who have deferred their exam are not eligible for a refund of their deferral fee and associated exam payment. Deferrals: Exam registrants may elect to defer their registration to the following exam date. A deferral fee is required based on the following schedule: z On or before 23 October .................................... US $50 z 24 October through 27 November ..................... US $100 Deferral requests will not be accepted after 27 November 2015. To request a deferral, please go to www.isaca.org/examdefer. Exam candidates who have deferred their exam are not eligible for a refund of their deferral fee and associated exam payment. Exam candidates who do not appear for the exam (or arrive too late to be admitted) are not eligible for a refund or deferral of their exam registration payment. Any candidate who has not received his/her admission ticket by 1 December 2015 should contact the ISACA certification department at
[email protected] or via phone at +1.847.660.5660.
Special Accommodations Upon request, ISACA will make reasonable accommodations in its exam procedures for candidates with documented disabilities or religious requirements. Consideration for reasonable alterations in scheduling, exam format, presentation, and allowance of food or drink at the exam site must be requested. Documented disability requests must be accompanied by a doctor’s note. Requests for a religious requirement must be accompanied by a note from the candidate’s religious leader. Unless requested and approved, no food or drink is allowed at any exam site. Requests for consideration must be submitted to ISACA International Headquarters in writing, accompanied by appropriate documentation, no later than 23 October 2015 to
[email protected].
Request for Additional Test Centers If an exam center is not available within 100 miles (160 kilometers) of the location in which a candidate wants to be tested, and if there are ten or more paid candidates who wish to enter as a group at this location, they may request that a new exam center be established. Written requests for establishment of new exam centers, including a minimum of ten paid registration forms, must be received at ISACA International Headquarters no later than 1 August 2015. While there is no guarantee that a new exam center can be arranged, every attempt will be made to provide one.
Exam Locations For a complete listing of the exam sites for the December exam administration visit www.isaca.org/examlocations and select the December Exam Locations tab. All deadlines are based on Chicago, Illinois, USA, 5 p.m. Central Time (UTC/GMT-06:00 Chicago, Illinois, USA). No refunds or exchanges will be given for study aids, associated taxes, shipping and handling charges, or membership dues. Exam registration and membership fees are nontransferable.
7
ISACA Exam Candidate Information Guide EXAM DAY INFORMATION Admission Ticket Approximately two to three weeks prior to the exam date, candidates will be sent an email admission ticket (eticket) from ISACA. Admission tickets are sent via email to the current email address on file. In order to receive an admission ticket, all fees must be paid. Exam candidates can also download a copy of the admission ticket at www.isaca.org > MyISACA page of the web site. Tickets will indicate the date, registration time and location of the exam, as well as a schedule of events for that day and a list of materials that candidates must bring with them to take the exam. Candidates are not to write on the admission ticket. Candidates can use their admission ticket (either a printout of their e-ticket or their downloaded ticket) only at the designated test center. Identification on Exam Day Candidates will be admitted to the test center only if they have a valid admission ticket and an acceptable form of identification (ID). An acceptable form of ID must be a current and original government-issued ID that contains the candidate’s name, as it appears on the admission ticket, and the candidate’s photograph. The information on the ID cannot be handwritten. All of these characteristics must be demonstrated by the single piece of ID provided. Examples include, but are not limited to, a passport, driver’s license, military ID, state ID, green card and national ID. Any candidate who does not provide an acceptable form of ID will not be allowed to sit for the exam and will forfeit his/her registration fee. IDs will be checked during the exam administration. Only candidates with an admission ticket and an acceptable government-issued ID will be admitted to take the exam, and the name on the admission ticket must match the name on the government-issued ID. If candidates’ mailing and/or email addresses change, they should update their profile on the ISACA web site (www.isaca.org ) or contact
[email protected]. Arrival Time For Exam It is imperative that candidates note the specific registration and exam times on their admission ticket. NO CANDIDATE WILL BE ADMITTED TO THE TEST CENTER ONCE THE CHIEF EXAMINER BEGINS READING THE ORAL INSTRUCTIONS, APPROXIMATELY 30 MINUTES BEFORE THE EXAM BEGINS. Any candidate who arrives after the oral instructions have begun will not be allowed to sit for the exam and will forfeit his/her registration fee. An admission ticket can only be used at the designated test center specified on the admission ticket. To ensure that you arrive in plenty of time for the exam, we recommend that you become familiar with the exact location and the best travel route to your exam site prior to the date of the exam. Test center telephone numbers and web site references have been provided (when available) to assist you in obtaining directions to the facility. Exam Rules • Candidates will not be admitted to a test center after the oral instructions have begun. • Candidates should bring several sharpened No. 2 or HB (soft lead) pencils and a good eraser. Pencils and erasers will not be available at the test center. • As exam venues vary, every attempt will be made to make the climate control comfortable at each exam venue. Candidates may want to dress to their own comfort level. • Candidates are not allowed to bring reference materials, blank paper, note pads or language dictionaries into the test center. • Candidates are not allowed to bring or use a calculator in the test center. • Candidates are not allowed to bring any type of communication, surveillance or recording device (including, but not limited to cell phones, tablets, smart glasses, smart watches, mobile devices, etc.) into the test center. If exam candidates are viewed with any such communication, surveillance or recording device during the exam administration, their exams will be voided and they will be asked to immediately leave the exam site. • Candidates are not allowed to bring baggage of any kind, including but not limited to handbags/purses, briefcases, etc. into the test center. Visit www.isaca.org/cisabelongings, www.isaca.org/cismbelongings, www.isaca.org/cgeitbelongings, www.isaca.org/criscbelongings for more information on personal belongings allowed or prohibited. • Visitors are not permitted in the test center. • No food or beverages are allowed in the test center (without advanced authorization from ISACA). • Candidates are urged to immediately record their answers on their answer sheet. No additional time will be allowed after the exam time has elapsed to transfer or record answers should candidates mark their answers in the test booklet. The exam will be scored based on the answer sheet recordings only. • Candidates must gain authorization or be accompanied by a test proctor to leave the testing area. • Candidates may leave the testing room with authorization during the examination to visit the facilities. Only one person will be excused from the room at a time. Testing staff will collect the candidate examination materials and the candidate will be required to check-out and check-in again upon re-entering the exam. Note the examination time will not stop and no extra time will be allotted. Misconduct Candidates who are discovered in violation of the Exam Rules or engaging in any kind of misconduct including but not limited to the activities listed below will be subject to disqualification. The testing agency will report all cases of misconduct to the respective ISACA Certification Committee for committee review in order to render any decision necessary. • Giving or receiving help; using notes, papers or other aids, • Attempting to take the exam for someone else, • Possession of communication, surveillance or recording device, including but not limited to cell phones, tablets, smart glasses, smart watches, mobile devices, etc, during the exam administration, • Removing test materials, answer sheet or notes from the testing center, • Attempting to share test questions or answers or other information contained in the exam (as such are the confidential information of ISACA); including sharing test questions subsequent to the exam. • Leaving the testing room or area without authorization or accompaniment by a test proctor. (These individuals will not be allowed to return to the testing room), • Accessing items stored in the personal belongings area before the completion of the exam, and • Continuing to write the exam after the proctor signals the end of the exam time.
8
ISACA Exam Candidate Information Guide Reasons for Dismissal or Disqualification and Voiding of Exam • Unauthorized admission to the test center. • Candidate creates a disturbance or gives or receives help. • Candidate attempts to remove test materials, questions, answers or notes from the test center. • Candidate impersonates another candidate. • Candidate brings items into the test center that are not permitted or accesses items stored in the personal belongings area during the exam. • Candidate possession of any communication, surveillance or recording device during the exam administration • Candidate leaves the test area without authorization. • Candidate continues to write the exam, including continuing to record answers on his/her answer sheet after the proctor signals the end of the examination. • Candidate shares test questions or other information contained in the exam. Personal Belongings Each test site will have a specific area designated for the storage of personal belongings. Neither ISACA or its testing vendor takes responsibility for personal belongings of candidates. ISACA will not assume responsibility for stolen, lost or damaged personal property. To review the Personal Belongings Policy, please visit www.isaca.org/cisabelongings, www.isaca.org/cismbelongings, www.isaca.org/cgeitbelongings, or www.isaca.org/criscbelongings. Personal items brought to the exam site and stored in the belongings area of the testing center may not be accessed until the exam candidate has completed and submitted his/her exam. Taking the Exam/Types of Questions on the Exams Exam questions are developed with the intent of measuring and testing practical knowledge and the application of general concepts and standards. All questions are designed with one best answer. Every question has a stem (question) and four options (answer choices). The candidate is asked to choose the correct or best answer from the options. The stem may be in the form of a question or incomplete statement. In some instances, a scenario may also be included. These questions normally include a description of a situation and require the candidate to answer two or more questions based on the information provided. The candidate is cautioned to read each question carefully. An exam question may require the candidate to choose the appropriate answer based on a qualifier, such as MOST likely or BEST. In every case, the candidate is required to read the question carefully, eliminate known incorrect answers and then make the best choice possible. To gain a better understanding of the types of questions that might appear on the exam and how these questions are developed, refer to the Item Writing Guide available at www.isaca.org/itemwriter. Representations of CISA exam questions are available at www.isaca.org/cisaassessment; CISM exam questions are available at www.isaca.org/cismassessment. Conduct Oneself Properly • To protect the security of the exam and maintain the validity of the scores, candidates are asked to sign the answer sheet. • The respective ISACA Certification Committee reserves the right to disqualify any candidate who is discovered engaging in any kind of misconduct or violation of exam rules, including but not limited to giving or receiving help; using notes, papers or other aids; attempting to take the exam for someone else; using any type of communication, surveillance or recording device during the exam administration, removing test materials or notes from the test center or attempting to share test questions or answers or other information contained in the exam (as such are the confidential information of ISACA). The testing agency will provide the respective ISACA Certification Committee with records regarding such irregularities for committee review and to render any decision necessary. Be Careful in Completing the Answer Sheet • Before a candidate begins the exam, the test center chief examiner will read aloud the instructions for entering identification information on the answer sheet. A candidate’s identification number as it appears on the admission ticket and all other requested information must be correctly entered or scores may be delayed or incorrectly reported. • A proctor speaking the primary language used at each test center is available. If a candidate desires to take the exam in a language other than the primary language of the test center, the proctor may not be conversant in the language chosen. However, written instructions will be available in the language of the exam. • A candidate is instructed to read all instructions carefully and understand them before attempting to answer the questions. Candidates who skip over the directions or read them too quickly could miss important information and possibly lose credit. • All answers are to be marked in the appropriate circle on the answer sheet. Candidates must be careful not to mark more than one answer per question and to be sure to answer a question in the appropriate row of answers. If an answer needs to be changed, a candidate is urged to erase the wrong answer fully before marking in the new one. • All questions should be answered. There are no penalties for incorrect answers. Grades are based solely on the number of questions answered correctly, so do not leave any questions blank. • After completion, candidates are required to hand in their answer sheet and test booklet. Budget One’s Time • The exam is four hours in length. Candidates are advised to pace themselves to complete the entire exam. • Candidates are urged to immediately record their answers on the answer sheet. No additional time will be allowed after the exam time has elapsed to transfer or record answers should a candidate mark answers in the test booklet. The exam will be scored based on the answer sheet recordings only.
9
ISACA Exam Candidate Information Guide Exam Day Comments
ISACA utilizes an internationally recognized professional testing agency to assist the construction, administration and scoring of the exams. Candidates wishing to comment on the test administration conditions may do so at the conclusion of the testing session by completing the “Test Administration Questionnaire.” The Test Administration Questionnaire is presented at the back of the examination booklet with corresponding instructions for completion. Candidates who wish to address any additional comments or concerns about the examination administration, including site conditions or the content of the exam, should contact ISACA international headquarters by letter or by email (
[email protected]). Please include the following information in your comments: exam ID number, testing site, date tested and any relevant details on the specific issue. Only those comments received by ISACA during the first 2 weeks after the exam administration will be considered in the final scoring of the exam. Appeals undertaken by a certification exam taker, certification applicant or by a certified individual are undertaken at the discretion and cost of the exam taker, applicant or individual.
POST EXAM INFORMATON: Scoring the Exams The ISACA exams consists of multiple-choice items. Candidate scores are reported as a scaled score. A scaled score is a conversion of a candidate’s raw score on an exam to a common scale. ISACA uses and reports scores on a common scale from 200 to 800. For example, the scaled score of 800 represents a perfect score with all questions answered correctly; a scaled score of 200 is the lowest score possible and signifies that only a small number of questions were answered correctly. A candidate must receive a score of 450 or higher to pass the exam. A score of 450 represents a minimum consistent standard of knowledge. A candidate receiving a passing score may then apply for certification if all other requirements are met. The exams contain some questions which are included for research and analysis purposes only. These questions are not separately identified and not used to calculate your final score. Approximately five weeks for CISA/CISM and eight weeks for CGEIT/CRISC after the test date, the official exam results will be mailed to candidates. Additionally, with the candidate’s consent during the registration process, an email message containing the candidate’s pass/fail status and score will be sent to the candidate. This email notification will only be sent to the address listed in the candidate’s profile at the time of the initial release of the results. To ensure the confidentiality of scores, exam results will not be reported by telephone or fax. To prevent email notification from being sent to spam folders, candidates should add
[email protected] to their address book, whitelist or safe-senders list. Once released, scores will also be available in the ISACA constituent profile at the MyISACA > MyCertifications page of the ISACA website. Candidates will receive a score report containing a subscore for each domain area. Successful candidates will receive, along with a score report, details on how to apply for certification. The subscores can be useful in identifying those areas in which the unsuccessful candidate may need further study before retaking the exam. Unsuccessful candidates should note that the total scaled score cannot be determined by calculating either a simple or weighted average of the subscores. Candidates receiving a failing score on the exam may request a hand score of their answer sheets. This procedure ensures that no stray marks, multiple responses or other conditions interfered with computer scoring. Candidates should understand, however, that all scores are subjected to several quality control checks before they are reported; therefore, rescores most likely will not result in a score change. Requests for hand scoring must be made in writing to the certification department within 90 days following the release of the exam results. Requests for a hand score after the deadline date will not be processed. All requests must include a candidate’s name, exam identification number and mailing address. A fee of US $75 must accompany each request. Passing the exam does not grant the designation. Candidates have five years from the passing date to apply for certification. To become certified, each exam passer must complete requirements including submitting an application for certification. Candidates receiving a score less than 450 have not passed and can retake the exam by registering and paying the exam registration fee for the future administration. There are no limits to how many times a candidate can take the exam. ISACA Code of Professional Ethics ISACA sets forth a Code of Professional Ethics to guide the professional and personal conduct of members of the association and/or its certification holders. Members and certifieds are required to abide by the Code. Failure to comply with this Code of Professional Ethics can result in an investigation into a member’s and/or certification holder’s conduct and, ultimately, in disciplinary measures. The ISACA Code of Professional Ethics can be viewed online at www.isaca.org/ethics.
10
ISACA Exam Candidate Information Guide Confidentiality By taking an ISACA Exam, the candidate understands and agrees that the Exam (which includes all aspects of the exam, including, without limitation, the test questions, answers, examples and other information presented or contained in the exam and exam materials) belongs to ISACA and constitutes ISACA’s confidential information (collectively, “Confidential Information”). The candidate agrees to maintain the confidentiality of ISACA’s Confidential Information at all times and understands that any failure to maintain the confidentiality of ISACA’s Confidential Information may result in disciplinary action against the candidate by ISACA or other adverse consequences, including, without limitation, nullification of his/her exam, loss of his/her credentials, and/or litigation. Specifically, the candidate understands that he/she may not, for example, discuss, publish or share any exam question(s), his/her answers or thoughts on any questions(s) or the exam’s format in any forum or media (i.e., via e-mail, Facebook, LinkedIn).
IMPORTANT ADDITIONAL REFERENCES These references contain essential exam information and should be read in their entirety.
Important Additional References CISA Exam
CISM Exam
CGEIT Exam
CRISC Exam
Certification
www.isaca.org/cisa
www.isaca.org/cism
www.isaca.org/cgeit
www.isaca.org/crisc
Preparing for the Exam
www.isaca.org/cisaprep
www.isaca.org/cismprep
www.isaca.org/cgeitprep
www.isaca.org/criscprep
Requirements for Certification Job Practice
www.isaca.org/cisarequirements
www.isaca.org/cismrequirements
www.isaca.org/cgeitrequirements
www.isaca.org/criscrequirements
Applying for Certification Maintaining your Certification Glossary of Terms Acronyms
www.isaca.org/cisaapp
www.isaca.org/cismapp
www.isaca.org/cgeitapp
www.isaca.org/criscapp
www.isaca.org/cisacpepolicy
www.isaca.org/cismcpepolicy
www.isaca.org/cgeitcpepolicy
www.isaca.org/crisccpepolicy
www.isaca.org/glossary
www.isaca.org/glossary
www.isaca.org/glossary
www.isaca.org/glossary
www.isaca.org/cisaprep
www.isaca.org/cismprep
www.isaca.org/cisajobpractice www.isaca.org/cismjobpractice www.isaca.org/cgeitjobpractice www.isaca.org/criscjobpractice
Available Study Materials From ISACA: Passing an ISACA exam can be achieved through an organized plan of study. To assist individuals with the development of a successful study plan, ISACA offers, for purchase, study aids to exam candidates. Visit www.isaca.org/ bookstore for more complete details including detailed descriptions of the products, costs, and languages available. Order early as delivery time can be one to two weeks, depending on geographic location and customs clearance practices. CISA: CISA Review Manual 2015. CISA Review Questions, Answers & Explanations Manual 2015 CISA Review Questions, Answers & Explanations Manual Supplement 2015 CISA Review Questions, Answers & Explanation Database— 12 month subscription CISA Review Questions, Answers & Explanation Database V15 CD-ROM CISA Online Review Course CISM: CISM Review Manual 2015 CISM Review Questions, Answers & Explanations Manual 2014 CISM Review Questions, Answers & Explanations Manual 2014 Supplement CISM Review Questions, Answers & Explanations Manual 2015 Supplement CISM Review Questions, Answers & Explanation Database— 12 month subscription CISM Review Questions, Answers & Explanation Database V15 CD-ROM
—
—
CGEIT: CGEIT Review Manual 2015 CGEIT Review Questions, Answers & Explanations Manual 2015 CGEIT Review Questions, Answers & Explanations Manual Supplement 2015 COBIT5 CRISC: CRISC Review Manual 2015 CRISC Review Questions, Answers & Explanations Manual 2015 CRISC Review Questions, Answers & Explanations Manual Supplement 2015 CRISC Review Questions, Answers & Explanation Database— 12 month subscription
ISACA Contact Information Exam and exam registration Phone: +1.847.660.5660; Fax: +1.847.253.1443; Email:
[email protected] Certification Phone: +1.847.660.5660; Fax: +1.847.253.1443; Email: certification@ isaca.org Study aids Phone: +1.847.660.5650; Email:
[email protected] ISACA membership Phone: +1.847.660.5600; Email:
[email protected] DOC: 2015 Exam Candidates Guide Version: V3 Update: 2015-03
11
InfoSec Acceptable Use Policy 1.0 Overview InfoSec's intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to
. established culture of openness, trust and integrity. InfoSec is committed to protecting 's employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly. Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are the property of . These systems are to be used for business purposes in serving the interests of the company, and of our clients and customers in the course of normal operations. Please review Human Resources policies for further details. Effective security is a team effort involving the participation and support of every employee and affiliate who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly. 2.0 Purpose The purpose of this policy is to outline the acceptable use of computer equipment at . These rules are in place to protect the employee and . Inappropriate use exposes to risks including virus attacks, compromise of network systems and services, and legal issues. 3.0 Scope This policy applies to employees, contractors, consultants, temporaries, and other workers at , including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by . 4.0 Policy 4.1 General Use and Ownership 1. While 's network administration desires to provide a reasonable level of privacy, users should be aware that the data they create on the corporate systems remains the property of . Because of the need to protect 's network, management cannot guarantee the confidentiality of information stored on any network device belonging to . 2. Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Individual departments are responsible for creating guidelines concerning personal use of Internet/Intranet/Extranet systems. In the absence of such policies, employees should be guided by departmental policies on personal use, and if there is any uncertainty, employees should consult their supervisor or manager. 3. InfoSec recommends that any information that users consider sensitive or vulnerable be encrypted. For guidelines on information classification, see InfoSec's Information Sensitivity Policy. For guidelines on encrypting email and documents, go to InfoSec's Awareness Initiative. 4. For security and network maintenance purposes, authorized individuals within may monitor equipment, systems and network traffic at any time, per InfoSec's Audit Policy. 5. reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. 4.2 Security and Proprietary Information 1. The user interface for information contained on Internet/Intranet/Extranet-related systems should be classified as either confidential or not confidential, as defined by corporate confidentiality guidelines, details of which can be found in Human Resources policies. Examples of confidential information include but are not limited to: company private, corporate strategies, competitor sensitive, trade secrets, specifications, customer lists, and research data. Employees should take all necessary steps to prevent unauthorized access to this information. 2. Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts. System level passwords should be changed quarterly, user level passwords should be changed every six months.
3.
4. 5. 6.
7.
8.
All PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging-off (control-altdelete for Win2K users) when the host will be unattended. Use encryption of information in compliance with InfoSec's Acceptable Encryption Use policy. Because information contained on portable computers is especially vulnerable, special care should be exercised. Protect laptops in accordance with the “Laptop Security Tips”. Postings by employees from a email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of , unless posting is in the course of business duties. All hosts used by the employee that are connected to the Internet/Intranet/Extranet, whether owned by the employee or , shall be continually executing approved virus-scanning software with a current virus database. Unless overridden by departmental or group policy. Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or Trojan horse code.
4.3. Unacceptable Use The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services). Under no circumstances is an employee of authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing -owned resources. The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use. System and Network Activities The following activities are strictly prohibited, with no exceptions: 1.
2.
3.
4. 5. 6.
7. 8. 9.
Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by . Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which or the end user does not have an active license is strictly prohibited. Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question. Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.). Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home. Using a computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user's local jurisdiction. Making fraudulent offers of products, items, or services originating from any account. Making statements about warranty, expressly or implied, unless it is a part of normal job duties. Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
10. Port scanning or security scanning is expressly prohibited unless prior notification to InfoSec is made. 11. Executing any form of network monitoring which will intercept data not intended for the employee's host, unless this activity is a part of the employee's normal job/duty. 12. Circumventing user authentication or security of any host, network or account. 13. Interfering with or denying service to any user other than the employee's host (for example, denial of service attack). 14. Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the Internet/Intranet/Extranet. 15. Providing information about, or lists of, employees to parties outside . Email and Communications Activities 1. 2. 3. 4. 5. 6.
7.
Sending unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (email spam). Any form of harassment via email, telephone or paging, whether through language, frequency, or size of messages. Unauthorized use, or forging, of email header information. Solicitation of email for any other email address, other than that of the poster's account, with the intent to harass or to collect replies. Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any type. Use of unsolicited email originating from within 's networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by or connected via 's network. Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam).
5.0 Enforcement Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 6.0 Definitions Term Definition Spam Unauthorized and/or unsolicited electronic mass mailings. 7.0 Revision History
Cloud Computing Management Audit/Assurance Program
Cloud Computing Management Audit/Assurance Program ISACA® With 95,000 constituents in 160 countries, ISACA (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor™ (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) designations. ISACA continually updates COBIT®, which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business. Disclaimer ISACA has designed and created Cloud Computing Management Audit/Assurance Program (the “Work”) primarily as an educational resource for audit and assurance professionals. ISACA makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, audit and assurance professionals should apply their own professional judgment to the specific circumstances presented by the particular systems or information technology environment. Reservation of Rights © 2010 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of all or portions of this publication are permitted solely for academic, internal and noncommercial use and for consulting/advisory engagements, and must include full attribution of the material’s source. No other right or permission is granted with respect to this work. ISACA 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Phone: +1.847.253.1545 Fax: +1.847.253.1443 E-mail: [email protected] Web site: www.isaca.org
ISBN 978-1-60420-162-8 Cloud Computing Management Audit/Assurance Program CRISC is a trademark/service mark of ISACA. The mark has been applied for or registered in countries throughout the world.
ISACA wishes to recognize: Author Norm Kelson, CISA, CGEIT, CPA, CPE Interactive Inc., USA © 2010 ISACA. All rights reserved. Page 2
Cloud Computing Management Audit/Assurance Program
Expert Reviewers Josep Bardallo, CISA, CISM, CGEIT, CISSP, ISO 27000 LA, PasswordBank, Spain Chris Boswell, CISA, CISM, CGEIT, CISSP, CA Technologies, USA Madhav Chablani, CISA, CISM, TippingPoint Consulting, India Milthon J. Chavez, Ph.D., CISA, CISM, CGEIT, Resilience Organizational Center, Venezuela Yves Dorleans, CISA, Charles River Laboratories, USA Gbadamosi Folakemi Toyin, CGEIT, APDM, CGRC-IT, CICA, CIPM, Flooky-Tee Computers, Nigeria Abdus Sami Khan, Sami Associates, Pakistan Prashant A. Khopkar, CISA, CA, CPA, Grant Thornton LLP, USA William C. Lisse Jr., CISA, CGEIT, CISSP, G7799, PMP, OCLC, Inc., USA Lucio Augusto Molina Focazzio, CISA, CISM, ITIL V3, Colombia K. K. Mookhey, CISA, CISM, CISSP, Network Intelligence India Pvt. Ltd., India Megah Santio, Australian Taxation Office, Australia ISACA Board of Directors Emil D’Angelo, CISA, CISM, Bank of Tokyo-Mitsubishi UFJ Ltd., USA, International President Christos K. Dimitriadis, Ph.D., CISA, CISM, INTRALOT S.A., Greece, Vice President Ria Lucas, CISA, CGEIT, Telstra Corp. Ltd., Australia, Vice President Hitoshi Ota, CISA, CISM, CGEIT, CIA, Mizuho Corporate Bank Ltd., Japan, Vice President Jose Angel Pena Ibarra, CGEIT, Alintec S.A., Mexico, Vice President Robert E. Stroud, CGEIT, CA Technologies, USA, Vice President Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Vice President Rolf M. von Roessing, CISA, CISM, CGEIT, KPMG Germany, Germany, Vice President Lynn C. Lawton, CISA, FBCS CITP, FCA, FIIA, KPMG Ltd., Russian Federation, Past International President Everett C. Johnson Jr., CPA, Deloitte & Touche LLP (retired), USA, Past International President Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Director Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Director Howard Nicholson, CISA, CGEIT, CRISC, City of Salisbury, Australia, Director Jeff Spivey, CPP, PSP, Security Risk Management, USA, ITGI Trustee Knowledge Board Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Chair Michael Berardi Jr., CISA, CGEIT, Nestle USA, USA John Ho Chi, CISA, CISM, CBCP, CFE, Ernst & Young LLP, Singapore Jose Angel Pena Ibarra, CGEIT, Alintec S.A., Mexico Jo Stewart-Rattray, CISA, CISM, CGEIT, CSEPS, RSM Bird Cameron, Australia Jon Singleton, CISA, FCA, Auditor General of Manitoba (retired), Canada Patrick Stachtchenko, CISA, CGEIT, CA, Stachtchenko & Associates SAS, France Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA Guidance and Practices Committee Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Chair Kamal N. Dave, CISA, CISM, CGEIT, Hewlett-Packard, USA Urs Fischer, CISA, CRISC, CIA, CPA (Swiss), Switzerland Ramses Gallego, CISM, CGEIT, CISSP, Entel IT Consulting, Spain Phillip J. Lageschulte, CGEIT, CPA, KPMG LLP, USA Ravi Muthukrishnan, CISA, CISM, FCA, ISCA, Capco IT Service India Pvt. Ltd., India Anthony P. Noble, CISA, CCP, Viacom Inc., USA Salomon Rico, CISA, CISM, CGEIT, Deloitte, Mexico Frank Van Der Zwaag, CISA, Westpac New Zealand, New Zealand ISACA and IT Governance Institute Affiliates and Sponsors American Institute of Certified Public Accountants ASIS International The Center for Internet Security Commonwealth Association for Corporate Governance Inc. FIDA Inform Information Security Forum Information Systems Security Association
© 2010 ISACA. All rights reserved. Page 3
Cloud Computing Management Audit/Assurance Program Institut de la Gouvernance des Systèmes d’Information Institute of Management Accountants Inc. ISACA chapters ITGI Japan Norwich University Solvay Brussels School of Economics and Management University of Antwerp Management School Analytix Holdings Pty. Ltd. BWise B.V. Hewlett-Packard IBM Project Rx Inc. SOAProjects Inc. Symantec Corp. TruArx Inc.
Table of Contents I. Introduction ............................................................................................................................................... 5 II. Using This Document............................................................................................................................... 6 III. Controls Maturity Analysis ..................................................................................................................... 8 IV. Assurance and Control Framework ...................................................................................................... 10 V. Executive Summary of Audit/Assurance Focus....................................................................................... 9 VI. Audit/Assurance Program ..................................................................................................................... 13 1. Planning and Scoping the Audit........................................................................................................ 13 2. Governing the Cloud ......................................................................................................................... 15 3. Operating in the Cloud ...................................................................................................................... 28 VII. Maturity Assessment ........................................................................................................................... 38 VIII. Assessment Maturity vs. Target Maturity .......................................................................................... 44
I. Introduction Overview ISACA has developed the IT Assurance Framework (ITAF) as a comprehensive and good-practicesetting model. ITAF provides standards that are designed to be mandatory and that are the guiding principles under which the IT audit and assurance profession operates. The guidelines provide information and direction for the practice of IT audit and assurance. The tools and techniques provide methodologies, tools and templates to provide direction in the application of IT audit and assurance processes.
Purpose The audit/assurance program is a tool and template to be used as a road map for the completion of a specific assurance process. ISACA has commissioned audit/assurance programs to be developed for use by IT audit and assurance practitioners. This audit/assurance program is intended to be utilized by IT audit and assurance professionals with the requisite knowledge of the subject matter under review, as described in ITAF section 2200—General Standards. The audit/assurance programs are part of ITAF section 4000—IT Assurance Tools and Techniques.
Control Framework The audit/assurance programs have been developed in alignment with the ISACA COBIT framework—specifically COBIT 4.1—using generally applicable and accepted good practices. They reflect ITAF sections 3400—IT Management Processes, 3600—IT Audit and Assurance Processes, and 3800—IT Audit and Assurance Management. Many organizations have embraced several frameworks at an enterprise level, including the © 2010 ISACA. All rights reserved. Page 4
Cloud Computing Management Audit/Assurance Program Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Framework. The importance of the control framework has been enhanced due to regulatory requirements by the US Securities and Exchange Commission (SEC) as directed by the US SarbanesOxley Act of 2002 and similar legislation in other countries. Enterprises seek to integrate control framework elements used by the general audit/assurance team into the IT audit and assurance framework. Since COSO is widely used, it has been selected for inclusion in this audit/assurance program. The reviewer may delete or rename these columns to align with the enterprise’s control framework.
Governance, Risk and Control of IT Governance, risk and control of IT are critical in the performance of any assurance management process. Governance of the process under review will be evaluated as part of the policies and management oversight controls. Risk plays an important role in evaluating what to audit and how management approaches and manages risk. Both issues are evaluated as steps in the audit/assurance program. Controls are the primary evaluation point in the process. The audit/assurance program identifies the control objectives and the steps to determine control design and effectiveness.
Responsibilities of IT Audit and Assurance Professionals IT audit and assurance professionals are expected to customize this document to the environment in which they are performing an assurance process. This document is to be used as a review tool and starting point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or questionnaire. It is assumed that the IT audit and assurance professional has the necessary subject matter expertise required to conduct the work and is supervised by a professional with the Certified Information Systems Auditor (CISA) designation and/or necessary subject matter expertise to adequately review the work performed.
II. Using This Document This audit/assurance program was developed to assist the audit and assurance professional in designing and executing a review. Details regarding the format and use of the document follow.
Work Program Steps The first column of the program describes the steps to be performed. The numbering scheme used provides built-in work paper numbering for ease of cross-reference to the specific work paper for that section. The physical document was designed in Microsoft® Word. The IT audit and assurance professional is encouraged to make modifications to this document to reflect the specific environment under review. Step 1 is part of the fact-gathering and prefieldwork preparation. Because the prefieldwork is essential to a successful and professional review, the steps have been itemized in this plan. The first level steps, e.g., 1.1, are shown in bold type and provide the reviewer with a scope or high-level explanation of the purpose for the substeps. Beginning in step 2, the steps associated with the work program are itemized. To simplify the use of the program, the audit/assurance program describes the audit/assurance objective—the reason for performing the steps in the topic area; the specific controls follow. Each review step is listed below the control. These steps may include assessing the control design by walking through a process, interviewing, observing or otherwise verifying the process and the controls that address that process. In many cases, once the control design has been verified, specific tests need to be performed to provide assurance that the process associated with the control is being followed. The maturity assessment, which is described in more detail later in this document, makes up the last section of the program.
© 2010 ISACA. All rights reserved. Page 5
Cloud Computing Management Audit/Assurance Program The audit/assurance plan wrap-up—those processes associated with the completion and review of work papers, preparation of issues and recommendations, report writing, and report clearing—has been excluded from this document because it is standard for the audit/assurance function and should be identified elsewhere in the enterprise’s standards.
COBIT Cross-reference The COBIT cross-reference provides the audit and assurance professional with the ability to refer to the specific COBIT control objective that supports the audit/assurance step. The COBIT control objective should be identified for each audit/assurance step in the section. Multiple cross-references are not uncommon. Processes at lower levels in the work program are too granular to be crossreferenced to COBIT. The audit/assurance program is organized in a manner to facilitate an evaluation through a structure parallel to the development process. COBIT provides in-depth control objectives and suggested control practices at each level. As professionals review each control, they should refer to COBIT® 4.1 or the IT Assurance Guide: Using COBIT® for good-practice control guidance.
COSO Components As noted in the introduction, COSO and similar frameworks have become increasingly popular among audit/assurance professionals. This ties the assurance work to the enterprise’s control framework. While the IT audit and assurance function uses COBIT as a framework, operational audit and assurance professionals use the framework established by the enterprise. Since COSO is the most prevalent internal control framework, it has been included in this document and is a bridge to align IT audit and assurance with the rest of the audit/assurance function. Many audit/assurance organizations include the COSO control components within their reports and summarize assurance activities to the audit committee of the board of directors. For each control, the audit and assurance professional should indicate the COSO component(s) addressed. It is possible, but generally not necessary, to extend this analysis to the specific audit step level. The original COSO internal control framework contained five components. In 2004, COSO was revised as the Enterprise Risk Management (ERM) Integrated Framework and extended to eight components. The primary difference between the two frameworks is the additional focus on ERM and integration into the business decision model. ERM is in the process of being adopted by large enterprises. The two frameworks are compared in figure 1.
Figure 1—Comparison of COSO Internal Control and ERM Integrated Frameworks Internal Control Framework ERM Integrated Framework Control Environment: The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, management’s operating style, delegation of authority systems, as well as the processes for managing and developing people in the organization.
Internal Environment: The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.
Objective Setting: Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite. Event Identification: Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes.
© 2010 ISACA. All rights reserved. Page 6
Cloud Computing Management Audit/Assurance Program Figure 1—Comparison of COSO Internal Control and ERM Integrated Frameworks Internal Control Framework ERM Integrated Framework Risk Assessment: Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, and, thus, risk assessment is the identification and analysis of relevant risks to achievement of assigned objectives. Risk assessment is a prerequisite for determining how the risks should be managed.
Control Activities: Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties. Information and Communication: Information systems play a key role in internal control systems as they produce reports, including operational, financial and compliance-related information that make it possible to run and control the business. In a broader sense, effective communication must ensure information flows down, across and up the organization. Effective communication should also be ensured with external parties, such as customers, suppliers, regulators and shareholders. Monitoring: Internal control systems need to be monitored—a process that assesses the quality of the system’s performance over time. This is accomplished through ongoing monitoring activities or separate evaluations. Internal control deficiencies detected through these monitoring activities should be reported upstream and corrective actions should be taken to ensure continuous improvement of the system.
Risk Assessment: Risks are analyzed, considering the likelihood and impact, as a basis for determining how they could be managed. Risk areas are assessed on an inherent and residual basis.
Risk Response: Management selects risk responses—avoiding, accepting, reducing or sharing risk—developing a set of actions to align risks with the entity’s risk tolerances and risk appetite. Control Activities: Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
Information and Communication: Relevant information is identified, captured and communicated in a form and time frame that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across and up the entity.
Monitoring: The entirety of enterprise risk management is monitored and modifications are made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations or both.
Information for figure 1 was obtained from the COSO web site, www.coso.org/aboutus.htm.
The original COSO internal control framework addresses the needs of the IT audit and assurance professional: control environment, risk assessment, control activities, information and communication, and monitoring. As such, ISACA has elected to utilize the five-component model for these audit/ assurance programs. As more enterprises implement the ERM model, the additional three columns can be added, if relevant. When completing the COSO component columns, consider the definitions of the components as described in figure 1.
Reference/Hyperlink Good practices require the audit and assurance professional to create a work paper that describes the work performed, issues identified and conclusions for each line item. The reference/hyperlink is to be used to cross-reference the audit/assurance step to the work paper that supports it. The numbering system of this document provides a ready numbering scheme for the work papers. If desired, a link to the work paper can be pasted into this column.
Issue Cross-reference This column can be used to flag a finding/issue that the IT audit and assurance professional wants to further investigate or establish as a potential finding. The potential findings should be documented in a work paper that indicates the disposition of the findings (formally reported, reported as a memo or verbal finding, or waived).
Comments The comments column can be used to indicate the waiving of a step or other notations. It is not to be used in place of a work paper that describes the work performed.
III. Controls Maturity Analysis © 2010 ISACA. All rights reserved. Page 7
Cloud Computing Management Audit/Assurance Program One of the consistent requests of stakeholders who have undergone IT audit/assurance reviews is a desire to understand how their performance compares to good practices. Audit and assurance professionals must provide an objective basis for the review conclusions. Maturity modeling for management and control over IT processes is based on a method of evaluating the enterprise so that it can be rated from a maturity level of nonexistent (0) to optimized (5). This approach is derived from the maturity model that the Software Engineering Institute (SEI) of Carnegie Mellon University defined for the maturity of software development. IT Assurance Guide Using COBIT Appendix VII—Maturity Model for Internal Control, shown in figure 2, provides a generic maturity model that shows the status of the internal control environment and the establishment of internal controls in an enterprise. It shows how the management of internal control, and an awareness of the need to establish better internal controls, typically develops from an ad hoc to an optimized level. The model provides a high-level guide to help COBIT users appreciate what is required for effective internal controls in IT and to help position their enterprise on the maturity scale.
Maturity Level 0 Non-existent
Figure 2—Maturity Model for Internal Control Status of the Internal Control Environment Establishment of Internal Controls There is no recognition of the need for internal control. Control is not part of the organization’s culture or mission. There is a high risk of control deficiencies and incidents. There is some recognition of the need for internal control. The approach to risk and control requirements is ad hoc and disorganized, without communication or monitoring. Deficiencies are not identified. Employees are not aware of their responsibilities. Controls are in place but are not documented. Their operation is dependent on the knowledge and motivation of individuals. Effectiveness is not adequately evaluated. Many control weaknesses exist and are not adequately addressed; the impact can be severe. Management actions to resolve control issues are not prioritized or consistent. Employees may not be aware of their responsibilities. Controls are in place and adequately documented. Operating effectiveness is evaluated on a periodic basis and there is an average number of issues. However, the evaluation process is not documented. While management is able to deal predictably with most control issues, some control weaknesses persist and impacts could still be severe. Employees are aware of their responsibilities for control.
There is no intent to assess the need for internal control. Incidents are dealt with as they arise.
4 Managed and Measurable
There is an effective internal control and risk management environment. A formal, documented evaluation of controls occurs frequently. Many controls are automated and regularly reviewed. Management is likely to detect most control issues, but not all issues are routinely identified. There is consistent follow-up to address identified control weaknesses. A limited, tactical use of technology is applied to automate controls.
5 Optimized
An enterprise-wide risk and control program provides continuous and effective control and risk issues resolution. Internal control and risk management are integrated with enterprise practices, supported with automated real-time monitoring with full accountability for control monitoring, risk management and compliance enforcement. Control evaluation is continuous, based on self-assessments and gap and root cause analyses. Employees are proactively involved in control improvements.
IT process criticality is regularly defined with full support and agreement from the relevant business process owners. Assessment of control requirements is based on policy and the actual maturity of these processes, following a thorough and measured analysis involving key stakeholders. Accountability for these assessments is clear and enforced. Improvement strategies are supported by business cases. Performance in achieving the desired outcomes is consistently monitored. External control reviews are organized occasionally. Business changes consider the criticality of IT processes and cover any need to reassess process control capability. IT process owners regularly perform self-assessments to confirm that controls are at the right level of maturity to meet business needs and they consider maturity attributes to find ways to make controls more efficient and effective. The organization benchmarks to external best practices and seeks external advice on internal control effectiveness. For critical processes, independent reviews take place to provide assurance that the controls are at the desired level of maturity and working as planned.
1 Initial/ad hoc
2 Repeatable but Intuitive
3 Defined
There is no awareness of the need for assessment of what is needed in terms of IT controls. When performed, it is only on an ad hoc basis, at a high level and in reaction to significant incidents. Assessment addresses only the actual incident. Assessment of control needs occurs only when needed for selected IT processes to determine the current level of control maturity, the target level that should be reached and the gaps that exist. An informal workshop approach, involving IT managers and the team involved in the process, is used to define an adequate approach to controls for the process and to motivate an agreed-upon action plan. Critical IT processes are identified based on value and risk drivers. A detailed analysis is performed to identify control requirements and the root cause of gaps and to develop improvement opportunities. In addition to facilitated workshops, tools are used and interviews are performed to support the analysis and ensure that an IT process owner owns and drives the assessment and improvement process.
The maturity model evaluation is one of the final steps in the evaluation process. The IT audit and assurance professional can address the key controls within the scope of the work program and formulate an objective assessment of the maturity levels of the control practices. The maturity © 2010 ISACA. All rights reserved. Page 8
Cloud Computing Management Audit/Assurance Program assessment can be a part of the audit/assurance report and can be used as a metric from year to year to document progression in the enhancement of controls. However, it must be noted that the perception of the maturity level may vary between the process/IT asset owner and the auditor. Therefore, an auditor should obtain the concerned stakeholder’s concurrence before submitting the final report to management. At the conclusion of the review, once all findings and recommendations are completed, the professional assesses the current state of the COBIT control framework and assigns it a maturity level using the six-level scale. Some practitioners utilize decimals (x.25, x.5, x.75) to indicate gradations in the maturity model. As a further reference, COBIT provides a definition of the maturity designations by control objective. While this approach is not mandatory, the process is provided as a separate section at the end of the audit/assurance program for those enterprises that wish to implement it. It is suggested that a maturity assessment be made at the COBIT control level. To provide further value to the client/customer, the professional can also obtain maturity targets from the client/customer. Using the assessed and target maturity levels, the professional can create an effective graphic presentation that describes the achievement or gaps between the actual and targeted maturity goals. A graphic is provided as the last page of the document (section VIII), based on sample assessments.
IV. Assurance and Control Framework ISACA IT Assurance Framework and Standards ITAF section 3630.6—Outsourced and Third-Party Activities is of primary relevance to the audit and assurance of information security management. However, outsourcing, especially in a cloud environment (described later) is pervasive throughout the IT organization and its functional responsibility. Therefore, the subsections contained in ITAF section 3630—General IT Controls have varying levels of relevance, depending on the cloud computing design.
ISACA Controls Framework COBIT is a framework for the governance of IT and is a supporting tool set that allows managers to bridge the gap among control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout enterprises. Utilizing COBIT as the control framework from which IT audit and assurance activities are based aligns IT audit and assurance with good practices as developed by the enterprise. Cloud computing affects the entire IT and business unit functions. COBIT IT processes PO9 Assess and manage IT risks from the Plan and Organise (PO) domain; DS1 Define and manage service levels, DS2 Manage third-party services, DS4 Ensure continuous service, DS5 Ensure systems security, DS8 Manage service desk and incidents, DS9 Manage the configuration, DS11 Manage data from the Deliver and Support (DS) domain; and ME2 Monitor and evaluate internal control and ME3 Ensure compliance with external requirements from the Monitor and Evaluate (ME) domain; are the primary control frameworks and address good practices for managing third-party relationships. Secondary COBIT processes are cross-referenced within the audit/assurance program. Cloud computing has touch points with the entire IT infrastructure. Cloud Computing Management Audit/Assurance Program cross-references numerous COBIT domains and processes. These sections appear in the COBIT cross-reference column of the audit/assurance program. Refer to ISACA publication COBIT® Control Practices: Guidance to Achieve Control Objectives for Successful IT Governance, 2nd Edition, published in 2007, for the related control practice value and risk drivers.
V. Executive Summary of Audit/Assurance Focus © 2010 ISACA. All rights reserved. Page 9
Cloud Computing Management Audit/Assurance Program
Cloud Computing Management The National Institute of Standards and Technology (NIST) and the Cloud Security Alliance define cloud computing as a “model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, services) that can be provisioned and released with minimal management effort or service provider interactions.” 1 In other words, IT services are delivered using a utility model. Cloud computing uses three basic service models: • Infrastructure as a Service (IaaS)—Capability to provision processing, storage, networks and other fundamental computing resources that offer the customer the ability to deploy and run arbitrary software, which can include operating systems and applications. IaaS puts these IT operations into the hands of a third party. The primary difference between this approach and traditional outsourcing is that with cloud computing, access to the infrastructure is through the public or private networks and the assignment and payment for resources is based on usage. • Platform as a Service (Paas)—Capability to deploy onto the cloud infrastructure customercreated or acquired applications created using programming languages and tools supported by the provider • Software as a Service (SaaS)—Capability to use the provider’s applications that run on the cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based e-mail). Cloud computing utilizes the following deployment models: • Private cloud: − Operated solely for an organization − May be managed by the organization or a third party − May exist on or off premise • Community cloud: − Shared by several organizations − Supports a specific community that has a shared mission or interest − May be managed by the organizations or a third party − May reside on or off premise • Public cloud: − Made available to the general public or a large industry group − Owned by an organization that sells cloud services • Hybrid cloud: − Composed of two or more clouds (private, community or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds) The key benefits to the customer include: • Cost containment • Immediate provisioning (setting up) of resources • Servicer load balancing to maximize availability • Ability to dynamically adjust resources according to demand with little notice • Ability of the customer to focus on core competencies instead of devoting resources to IT operations • Mirrored solutions to minimize the risk of downtime
1
ISACA, Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives, USA, 2009
© 2010 ISACA. All rights reserved. Page 10
Cloud Computing Management Audit/Assurance Program
Business Impact and Risk Applications processed in the cloud have similar implications for the business as traditional outsourcing. These include: • Loss of business focus • Solution failing to meet business and/or user requirements; not performing as expected; or not integrating with strategic IT plan, information architecture and technology direction • Incorrect solution selected or significant missing requirements • Contractual discrepancies and gaps between business expectations and service provider capabilities • Control gaps between processes performed by the service provider and the organization • Compromised system security and confidentiality • Invalid transactions or transactions processed incorrectly • Costly compensating controls • Reduced system availability and questionable integrity of information • Poor software quality, inadequate testing and high number of failures • Failure to respond to relationship issues with optimal and approved decisions • Insufficient allocation of resources • Unclear responsibilities and accountabilities • Inaccurate billings • Litigation, mediation or termination of the agreement, resulting in added costs and/or business disruption and/or total loss of the organization • Inability to satisfy audit/assurance charter and requirements of regulators or external auditors • Reputation • Fraud
Cloud computing has additional risks: • Greater dependency on third parties: – Increased vulnerabilities in external interfaces – Increased risks in aggregated data centers – Immaturity of the service providers with the potential for service provider going concern issues – Increased reliance on independent assurance processes • Increased complexity of compliance with laws and regulations: – Greater magnitude of privacy risks – Transborder flow of personally identifiable information – Affecting contractual compliance • Reliance on the Internet as the primary conduit to the organization’s data introduces: – Security issues with a public environment – Availability issues of Internet connectivity • Due to the dynamic nature of cloud computing: – The location of the processing facility may change according to load balancing – The processing facility may be located across international boundaries – Operating facilities may be shared with competitors – Legal issues (liability, ownership, etc.) relating to differing laws in hosting countries may put data at risk
Objective and Scope Objective—The cloud computing audit/assurance review will: • Provide stakeholders with an assessment of the effectiveness of the cloud computing service provider’s internal controls and security. • Identify internal control deficiencies within the customer organization and its interface with the service provider. © 2010 ISACA. All rights reserved. Page 11
Cloud Computing Management Audit/Assurance Program •
Provide audit stakeholders with an assessment of the quality of and their ability to rely on the service provider’s attestations regarding internal controls.
The cloud computing audit/assurance review is not designed to replace or focus on audits that provide assurance of specific application processes and excludes assurance of an application’s functionality and suitability. Scope—The review will focus on: • The governance affecting cloud computing • The contractual compliance between the service provider and customer • Control issues specific to cloud computing Since the areas under review rely heavily on the effectiveness of core IT general controls, it is recommended that audit/assurance reviews of the following areas be performed prior to the execution of the cloud computing review, so that appropriate reliance can be placed on these assessments: • Identity management (if the organization’s identity management system is integrated with the cloud computing system) • Security incident management (to interface with and manage cloud computing incidents) • Network perimeter security (as an access point to the Internet) • Systems development (in which the cloud is part of the application infrastructure) • Project management • IT risk management • Data management (for data transmitted and stored on cloud systems) • Vulnerability management
Minimum Audit Skills Cloud computing incorporates many IT processes. Since the focus is on information governance, IT management, network, data, contingency and encryption controls, the audit and assurance professional should have the requisite knowledge of these issues. In addition, proficiency in risk assessment, information security components of IT architecture, risk management, and the threats and vulnerabilities of cloud computing and Internet-based data processing is required. Therefore, it is recommended that the audit and assurance professional conducting the assessment have the requisite experience and organizational relationships to effectively execute the assurance processes. Because cloud computing is dependent on web services, the auditor should have at least a basic understanding of Organization for the Advancement of Structured Information Standards (OASIS) Web Services Security (WS-Security or WSS) Standards (www.oasis-open.org).
© 2010 ISACA. All rights reserved. Page 12
VI. Audit/Assurance Program
1. PLANNING AND SCOPING THE AUDIT 1.1 Define the audit/assurance objectives. The audit/assurance objectives are high level and describe the overall audit goals. 1.1.1 Review the audit/assurance objectives in the introduction to this audit/assurance program. 1.1.2 Modify the audit/assurance objectives to align with the audit/assurance universe, annual plan and charter. 1.2 Define the boundaries of review. The review must have a defined scope. Understand the core business process and its alignment with IT, in its noncloud form and current or future cloud implementation. 1.2.1 Obtain a description of all cloud computing environments in use and under consideration. 1.2.2 Obtain a description of all cloud computing applications in use and under consideration. 1.2.3 Identify the types of cloud services (IaaS, PaaS, SaaS) in use and under consideration, and determine the services and business solutions to be included in the review. 1.2.4 Obtain and review any previous audit reports with remediation plans. Identify open issues, and assess updates to the documents with respect to these issues. 1.3 Identify and document risks. The risk assessment is necessary to evaluate where audit resources should be focused. In most enterprises, audit resources are not available for all processes. The risk-based approach assures utilization of audit resources in the most effective manner. 1.3.1 Identify the business risk associated with cloud computing of concern to business owners and key stakeholders. 1.3.2 Verify that the business risks are aligned, rated or classified with cloud computing security criteria such as confidentiality, integrity and availability. 1.3.3 Review previous audits of cloud computing. 1.3.4 Determine if the risks identified previously have been appropriately addressed. 1.3.5 Evaluate the overall risk factor for performing the review. 1.3.6 Based on the risk assessment, identify changes to the scope. 1.3.7 Discuss the risks with IT management, and adjust the risk assessment. © 2010 ISACA. All rights reserved. Page 13
Monitoring
Information and Communication
Control Activities
Crossreference
Control Environment
COBIT Audit/Assurance Program Step
Risk Assessment
COSO Reference Issue HyperCross- Comments link reference
1.3.8 Based on the risk assessment, revise the scope. 1.4 Define the change process. The initial audit approach is based on the reviewer’s understanding of the operating environment and associated risks. As further research and analysis are performed, changes to the scope and approach may result. 1.4.1 Identify the senior IT assurance resource responsible for the review. 1.4.2 Establish the process for suggesting and implementing changes to the audit/assurance program and the authorizations required. 1.5 Define assignment success. The success factors need to be identified. Communication among the IT audit/assurance team, other assurance teams and the enterprise is essential. 1.5.1 Identify the drivers for a successful review (this should exist in the assurance function’s standards and procedures). 1.5.2 Communicate success attributes to the process owner or stakeholder, and obtain agreement. 1.6 Define the audit/assurance resources required. The audit/assurance resources required for a successful review need to be defined. (Refer to the Minimum Audit Skills section in section V.) 1.6.1 Determine the audit/assurance skills necessary for the review. 1.6.2 Estimate the total audit/assurance resources (hours) and time frame (start and end dates) required for the review. 1.7 Define deliverables. The deliverable is not limited to the final report. Communication between the audit/assurance teams and the process owner about the number, format, timing and nature of deliverables is essential to assignment success. 1.7.1 Determine the interim deliverables, including initial findings, status reports, draft reports, due dates for responses or meetings, and the final report. 1.8 Communications The audit/assurance process must be clearly communicated to the customer/client. 1.8.1 Conduct an opening conference to discuss: • Review objectives with the stakeholders • Documents and information security resources required to effectively perform the © 2010 ISACA. All rights reserved. Page 14
Monitoring
Information and Communication
Control Activities
Crossreference
Control Environment
COBIT Audit/Assurance Program Step
Risk Assessment
COSO Reference Issue HyperCross- Comments link reference
Monitoring
Information and Communication
Control Activities
Crossreference
Control Environment
COBIT Audit/Assurance Program Step
Risk Assessment
COSO
review • Timelines and deliverables 2. GOVERNING THE CLOUD 2.1 Governance and Enterprise Risk Management (ERM) 2.1.1 Governance Audit/Assurance Objective: Governance functions are established to ensure effective and sustainable management processes that result in transparency of business decisions, clear lines of responsibility, information security in alignment with regulatory and customer organization standards, and accountability. 2.1.1.1 Governance Model Control: The organization has mechanisms in place to identify all providers and brokers of cloud services with which it currently does business and all cloud deployments that exist across the enterprise. The organization ensures that customer, IT information security and business units actively participate in the governance and policy activities to align business objectives and information security capabilities of the service provider with those of the organization. 2.1.1.1.1 Determine if the IT, information security and key business functions have defined integrated governance framework and monitoring processes. 2.1.1.1.2 Determine if the IT and information security functions and key business units are actively involved in the establishment of SLAs and contractual obligations. 2.1.1.1.3 Determine if the information security function has performed a gap analysis of the service provider's information security capabilities against the organization’s information security policies and threat and vulnerabilities/IT risks emanating from the transition to cloud computing. 2.1.1.1.4 Determine if the cloud provider has identified control objectives for the provided services. 2.1.1.1.5 Determine if the organization maintains an inventory of all services provided via the cloud. 2.1.1.1.6 Determine that the business cannot procure cloud services without the involvement of information technology and information security. 2.1.1.2 Information Security Collaboration Control: Both parties define the reporting relationship and responsibilities.
DS5.1 ME1.5 ME4.1 ME4.2
PO4.5 PO4.6
© 2010 ISACA. All rights reserved. Page 15
x
x x
x
x
x x
x
Reference Issue HyperCross- Comments link reference
Monitoring
Information and Communication
Control Activities
Crossreference
Control Environment
COBIT Audit/Assurance Program Step
Risk Assessment
COSO
PO4.14 DS2.2 ME2.1 2.1.1.2.1 Determine if the responsibilities for governance are documented and approved by the service provider and customer. 2.1.1.2.2 Determine if reporting relationships between the service provider and customer are clearly defined, identifying the responsibilities of both organizations’ governance processes. 2.1.1.3 Metrics and SLAs Control: SLAs that support the business requirements are defined, accepted by the service provider and monitored.
PO4.8 DS1.2 DS1.3 DS1.5 DS1.6 DS2.4
x
PO9.3 PO9.5 ME4.2 ME4.5
x
x
2.1.1.3.1 Obtain the SLAs; determine if the SLAs reflect the business requirements. 2.1.1.3.2 Determine that the SLAs can be monitored using measurable metrics and that the metrics provide appropriate oversight and early warning of unacceptable performance. 2.1.1.3.3 Determine if the SLA contains clauses that ensure services in case of vendor acquisition or changes in management. 2.1.2 Enterprise Risk Management Audit/Assurance Objective: Risk management practices are implemented to evaluate inherent risks within the cloud computing model, identify appropriate control mechanisms, and ensure that residual risk is within acceptable levels. 2.1.2.1 Identification of Risks Control: The risk management process provides a thorough assessment of the risks to the business by implementing the cloud processing model and is aligned to ERM if applicable. 2.1.2.1.1 Determine if the organization has an ERM model. 2.1.2.1.2 If an ERM model has been implemented, determine if the cloud computing risk assessment is in alignment with the enterprise ERM. 2.1.2.1.3 Determine if the services provided by the service provider and the
© 2010 ISACA. All rights reserved. Page 16
x
x
x
Reference Issue HyperCross- Comments link reference
Control Activities
x
x
x
processing model selected will limit the availability or execution of required information security activities, such as: • Restrictions on vulnerability assessments and penetration testing • Availability of audit logs • Access to activity monitoring reports • Segregation of duties 2.1.2.1.4 Determine if the risk management approach includes the following: • Identification and valuation of assets and services • Identification and analysis of threats and vulnerabilities with their potential impact on assets • Analysis of the likelihood of events using a scenario approach • Documented management approval of risk acceptance levels and criteria • Risk action plans (control, avoid, transfer, accept) 2.1.2.1.5 Determine if, during the risk assessment, the identified assets include both service-provider- and customer-owned assets and if the information security classifications used in the risk assessments are aligned. 2.1.2.1.6 Determine if the risk assessment includes the service model and the service provider's capabilities and financial condition. 2.1.2.2 Integration of Risks and SLAs Control: SLAs are aligned and developed in conjunction with the results of the risk assessment.
PO9.3 PO9.4 DS1.1 DS1.2 DS1.3 DS1.4 DS1.5 DS2.3 DS2.4 DS2.5
2.1.2.2.1 Determine if the results of the risk action plans are incorporated into the SLAs. 2.1.2.2.2 Determine if a joint service provider/customer risk assessment was conducted to verify if all reasonable risks have been identified and if risk remediation alternatives were identified and documented. © 2010 ISACA. All rights reserved. Page 17
Monitoring
Risk Assessment
Crossreference
Control Environment
COBIT Audit/Assurance Program Step
Information and Communication
COSO Reference Issue HyperCross- Comments link reference
x
x
PO9.1 PO9.2 PO9.3 PO9.4 DS5.1 ME4.5
x
x
x
PO9.3 PO9.4 PO9.5 PO9.6
x
x
x
2.1.2.2.3 Where the risk assessment of the service provider has identified risk management that is either ineffective or not comprehensive, determine if the organization has performed an analysis of their compensating controls and if such controls will address the service provider’s control shortcomings. 2.1.2.3 Acceptance of Risk Control: Risk acceptance is approved by a member of management with the authority to accept the risk on behalf of the organization and who understands the implications of the decision. 2.1.2.3.1 Determine if management has performed an analysis of their quantification and acceptance of residual risk prior to implementing a cloud solution. 2.1.2.3.2 Determine if the individual accepting such risk has the authority to make this decision. 2.1.3 Information Risk Management Audit/Assurance Objective: A process to manage information risk exists and is integrated into the organization’s overall ERM framework. Information risk management information and metrics are available for the information security function to manage risks within the risk tolerance of the data owner. 2.1.3.1 Risk Management Framework and Maturity Model Control: A risk management framework and a maturity model have been implemented to quantify risk and assess the effectiveness of the risk model.
2.1.3.1.1 Determine if a risk framework has been identified and approved. 2.1.3.1.2 Determine if a maturity model is used to assess the effectiveness. 2.1.3.1.3 Review the results of the maturity model results, and determine if the lack of maturity materially affects the audit objectives. 2.1.3.2 Risk Management Controls Control: Risk management controls are in effect to manage risk-based decisions.
© 2010 ISACA. All rights reserved. Page 18
Monitoring
Risk Assessment
PO9.3 PO9.4 PO9.5 ME4.5
Crossreference
Information and Communication
Control Environment
COBIT Audit/Assurance Program Step
Control Activities
COSO Reference Issue HyperCross- Comments link reference
Monitoring
Information and Communication
Control Activities
Crossreference
Control Environment
COBIT Audit/Assurance Program Step
Risk Assessment
COSO
2.1.3.2.1 Identify the technology controls and contractual requirements necessary to make fact-based information risk decisions. Consider: • Information usage • Access controls • Security controls • Location management • Privacy controls 2.1.3.2.2 For SaaS, determine that the organization has identified analytical information required from the service provider to support contractual obligations relating to performance, security and attainment of SLAs. 2.1.3.2.3 Obtain the analytical data requirements, and determine if the organization routinely monitors and evaluates the attainment of SLAs. 2.1.3.2.4 For PaaS, determine that the organization has identified the information available and the control practices necessary to manage the application and development processes effectively that address availability, confidentiality, data ownership, concerns around e-discovery, privacy and legal issues. 2.1.3.2.5 Determine if the organization has established monitoring practices to identify risk issues. 2.1.3.2.6 For IaaS, determine that the organization has identified and monitors the control and security processes necessary to provide a secure operating environment. 2.1.3.2.7 Determine if the service provider make available metrics and controls to assist customers in implementing their information risk management requirements. 2.1.4 Third-party Management Audit/Assurance Objective: The customer recognizes the outsourced relationship with the service provider. The customer understands its responsibilities for controls, and the service provider has provided assurances of sustainability of those controls. 2.1.4.1 Service Provider Procedures Control: The service provider makes available to customers independent thirdparty assessments, using generally accepted audit procedures, to describe the control practices in place at the service provider’s operating locations.
DS2.2 ME2.5 ME2.6
© 2010 ISACA. All rights reserved. Page 19
x x
x
Reference Issue HyperCross- Comments link reference
2.1.4.1.1 Determine if the service provider routinely has independent third-party assessments performed and issued. 2.1.4.1.2 Determine if the scope of the third-party assessment includes descriptions of the following service provider processes: • Incident management • Business continuity and disaster recovery • Backup and co-location facilities 2.1.4.1.3 Determine if the service provider routinely performs internal assessments of conformance to its own policies, procedures and availability of control metrics. DS2.2 2.1.4.2 Service Provider Responsibilities ME2.5 Control: The service provider has established processes to align its operations ME2.6 with requirements of customer. 2.1.4.2.1 Determine if the service provider’s information security governance, risk management and compliance processes are routinely assessed and include: • Risk assessments and reviews of facilities and services for control weaknesses • Definition of critical service and information security success factors and key performance indicators • Frequency of assessments • Mitigation procedures to ensure timely completion of identified issues • Review of legal, regulatory, industry and contractual requirements for comprehensiveness • Cloud service provider’s oversight of risks from its own critical vendors • Terms of use due diligence to identify roles, responsibilities and accountability of the service provider • Legal review for local contract provisions, enforceability and laws pertaining to jurisdictional issues that are the responsibility of their service provider © 2010 ISACA. All rights reserved. Page 20
x
x
Monitoring
Information and Communication
Control Activities
Crossreference
Control Environment
COBIT Audit/Assurance Program Step
Risk Assessment
COSO Reference Issue HyperCross- Comments link reference
2.1.4.3 Customer Responsibilities Control: The customer performs due diligence processes to ensure sustainability and compliance with regulatory requirements.
DS4.2 DS4.4 DS4.5 ME2.6 ME3.1 ME3.3 ME3.4
x
x
2.1.4.3.1 Determine if the customer has performed due diligence with respect to the service provider’s information security governance, risk management and compliance processes as described under 2.1.4.2 Service Provider Responsibilities. 2.1.4.3.2 Determine if the customer has prepared for the loss of service provider services including: • A business continuity and disaster recovery plan for various processing interruption scenarios • Tests of the business continuity and disaster plan • Inclusion of the business users and their business impact analysis in the continuity plan 2.2 Legal and Electronic Discovery 2.2.1 Contractual Obligations Audit/Assurance Objective: The service provider and customer establish bilateral agreements and procedures to ensure contractual obligations are satisfied, and these obligations address the compliance requirements of both the customer and service provider. 2.2.1.1 Contract Terms Control: A contract team representing the customer’s legal, financial, information security and business units has identified and included required contractual issues in the contract from the customer’s perspective, and the service provider’s legal team has provided contractual assurance to the satisfaction of the customer.
DS1.6 DS2.2 DS2.4 ME2.5 ME2.6 ME3.1
2.2.1.1.1 Determine if the contractual agreement defines both parties’ responsibilities related to discovery searches, litigation holds, preservation of evidence and expert testimony. © 2010 ISACA. All rights reserved. Page 21
x
Monitoring
Information and Communication
Control Activities
Crossreference
Control Environment
COBIT Audit/Assurance Program Step
Risk Assessment
COSO
x
Reference Issue HyperCross- Comments link reference
2.2.1.1.2 Determine that the service provider contract requires assurance to the customer that their data are preserved as recorded, including the primary data and secondary information ( metadata and logs). 2.2.1.1.3 Determine that service providers understand their contractual obligations to provide guardianship of the customer's data. Review contracts to determine this is specifically addressed. 2.2.1.1.4 Determine that the customer’s duty of care includes full scope of contract monitoring, including: • Precontract due diligence • Contract term negotiation • Transfer of data custodianship • Contract termination or renegotiation • Transition from processing 2.2.1.1.5 Determine that the contract stipulates and both parties understand their obligations for both expected and unexpected termination of the relationship during and after negotiations and that the contract and/or precontract agreement provides for the orderly and timely return or secure disposal of assets. 2.2.1.1.6 Determine that the contractual obligations specifically identify suspected data breach responsibilities of both parties and cooperative processes to be implemented during the investigation and any follow-up actions. 2.2.1.1.7 Determine that the agreement provides for the customer to have access to the service provider’s performance and tests for vulnerabilities on a regular basis. 2.2.1.1.8 Determine that the contract establishes rights and obligations for both parties during transition at the conclusion of the relationship and after the contract terminates. 2.2.1.1.9 Determine if the contract establishes the following data protection processes: • Full disclosure of the service provider’s internal security practices and procedures • Data retention policies in conformance with local jurisdiction requirements © 2010 ISACA. All rights reserved. Page 22
Monitoring
Information and Communication
Control Activities
Crossreference
Control Environment
COBIT Audit/Assurance Program Step
Risk Assessment
COSO Reference Issue HyperCross- Comments link reference
• •
Reporting on geographical location of customer data Circumstances in which data can be seized and notification of any such events • Notification of subpoena or discovery concerning any customer data or processes • Penalties for data breaches • Protection against data contamination between customers (compartmentalization) 2.2.1.1.10 Encryption requirements for data in transit, at rest and for backup are clearly identified in the cloud contractual agreement. 2.2.1.2 Implementation of Contractual Requirements Control: The customer has implemented appropriate monitoring controls to ensure contractual obligations are satisfied. 2.2.1.2.1 Determine that the customer has considered and established controls within the contractual obligations to ensure retention of data and intellectual property ownership and the privacy of personal data contained within its data. 2.2.1.2.2 Determine that the customer has developed appropriate issue monitoring processes to oversee the service provider’s performance of contract requirements. 2.2.1.2.3 Determine that the customer has established internal issue monitoring to identify customer contractual compliance deficiencies. 2.2.2 Legal Compliance Audit/Assurance Objective: Legal issues relating to functional, jurisdictional and contractual requirements are addressed to protect both parties, and these issues are documented, approved and monitored. 2.2.2.1 Legal Compliance Control: Legal compliance to local and cross-border laws are defined as a component of the contract. 2.2.2.1.1 Determine if cross-border and local laws are defined and considered in the contract.
DS1.5 DS1.6 DS2.4 ME2.5 ME2.6
DS1.6 ME3.1
© 2010 ISACA. All rights reserved. Page 23
x
X
Monitoring
Information and Communication
Control Activities
Crossreference
Control Environment
COBIT Audit/Assurance Program Step
Risk Assessment
COSO Reference Issue HyperCross- Comments link reference
Monitoring
Information and Communication
Control Activities
Crossreference
Control Environment
COBIT Audit/Assurance Program Step
Risk Assessment
COSO
2.2.2.1.2 Determine if the service provider and customer have an agreed-upon unified process for responding to subpoenas, service of process, and other legal requests. 2.3 Compliance and Audit 2.3.1 Right to Audit Audit/Assurance Objective: The right to audit is clearly defined and satisfies the assurance requirements of the customer’s board of directors, audit charter, external auditors and any regulators having jurisdiction over the customer. 2.3.1.1 Audit Rights per Contract Control: The audit rights, as agreed in the contract, permit the customer to conduct professional control assessments.
ME2.5 ME2.6 ME3.1 ME3.3 ME3.4
2.3.1.1.1 Review the audit rights in the contract, and determine if audit activities can be restricted or curtailed by the service provider. 2.3.1.1.2 If audit rights issues are identified, prepare an appropriate summary of the findings and escalate to service provider relationship management. If necessary and appropriate, escalate to the audit committee. 2.3.1.2 Third-party Reviews Control: The service provider submits third-party reviews that satisfy the professional requirements of being performed by a recognized independent audit organization. The report describes the controls in place by the service provider and certifies that the controls have been tested using recognized selection criteria. A test period previously agreed upon provides a description of recommended customer and service provider responsibilities and controls. 2.3.1.2.1 Obtain the third-party report. 2.3.1.2.2 Determine that the report addresses the control environment utilized by the customer. 2.3.1.2.3 Determine that the descriptions and processes are relevant to the service provider’s customers. 2.3.1.2.4 Determine that the report has described the key controls necessary for the reviewer to assess compliance with appropriate control objectives. 2.3.1.2.5 Determine that the report and testing will satisfy the customer’s © 2010 ISACA. All rights reserved. Page 24
x x
x
Reference Issue HyperCross- Comments link reference
Monitoring
Information and Communication
Control Activities
Crossreference
Control Environment
COBIT Audit/Assurance Program Step
Risk Assessment
COSO
assurance charter and compliance requirements of all regulators having jurisdiction over the customer. 2.3.1.2.6 Using the approved customer audit universe, compare the scope of the audit universe to the scope of the third-party report; identify gaps in the latter requiring additional assurance coverage. 2.3.1.2.7 Determine if the service provider relationship crosses international boundaries and if this affects the ability to rely upon the third-party report. 2.3.2 Auditability Audit/Assurance Objective: The service provider’s operating environment should be subject to audit to satisfy the customer’s audit charter, compliance requirements and good practice controls without restriction. 2.3.2.1 Customer Assurance Reviews of Service Provider Processes Control: The customer performs appropriate reviews to supplement and/or replace third-party reviews as required by their audit universe and audit charter.
DS2.3 DS2.4 ME2.1 ME2.5 ME2.6 ME3.1 ME3.3 ME3.4
x
x x
x
ME3.1 ME3.2 ME3.3
x
x
x
2.3.2.1.1 Determine if supplementary assurance assessments (if a third-party review has been provided) or primary assurance assessments are required. 2.3.2.1.2 Generate appropriate requests to the service provider, and schedule reviews. Note: Utilize appropriate audit/assurance programs for these reviews. 2.3.3 Compliance Scope Audit/Assurance Objective: The use of cloud computing does not invalidate or violate any customer compliance agreement. 2.3.3.1 Feasibility of Data Security Compliance Control: Data regulations are identified by compliance topic and are mapped to the regulator’s requirements. Gaps are evaluated to determine if the cloud computing platform will invalidate or breach compliance requirements.
© 2010 ISACA. All rights reserved. Page 25
Reference Issue HyperCross- Comments link reference
2.3.3.1.1 Determine if the customer has identified the legal and regulatory requirements of which it must comply (i.e., EU Data Directive, PCAOB AS5, PCI DSS, HIPAA). 2.3.3.1.2 Determine if the customer has aggregated requirements to minimize duplication. 2.3.3.1.3 Using the documentation assembled in the Governance and Enterprise Risk Management, Legal and Electronic Discovery, and Right to Audit sections, perform a gap analysis against the data regulations to determine if there are any regulatory requirements that cannot be satisfied by the cloud computing model. 2.3.3.2 Data Protection Responsibilities Control: The deployment scenario (SaaS, PaaS, IaaS) defines the data protection responsibilities between the customer and service provider, and these responsibilities are clearly established contractually. 2.3.3.2.1 Determine that the responsibilities for data protection are based on the risk for the deployment scenario. 2.3.3.2.2 Review the contract to determine the assignment of responsibilities. 2.3.3.2.3 Based on the contract, determine if the customer and service provider each have established appropriate data protection measures within the scope of their responsibilities. 2.3.4 ISO 27001 Certification Audit/Assurance Objective: Service provider security assurance is provided through ISO27001 Certification.
DS2.2 DS5.1 DS11.6
x
DS5.1 ME2.6 ME2.7 ME3.4
x
2.3.4.1 ISO Information Security Certification Control: ISO 27001 certification provides assurance of the service provider’s adherence to best-practice security processes. 2.3.4.1.1 Determine if the service provider has received ISO 27001 certification. If so, adjust the scope of the audit/assurance program to reflect this certification. 2.4 Portability and Interoperability 2.4.1 Service Transition Planning Audit/Assurance Objective: Planning for the migration of data, such as formats and © 2010 ISACA. All rights reserved. Page 26
Monitoring
Information and Communication
Control Activities
Crossreference
Control Environment
COBIT Audit/Assurance Program Step
Risk Assessment
COSO Reference Issue HyperCross- Comments link reference
access, is essential to reducing operational and financial risks at the end of the contract. The transition of services should be considered at the beginning of contract negotiations. 2.4.1.1 Portability Control: Procedures, capabilities and alternatives are established, maintained and tested, and a state of readiness has been established to transfer cloud computing operations to an alternate service provider in the event that the selected service provider is unable to meet contractual requirements or ceases operations. 2.4.1.1.1 All cloud solutions 2.4.1.1.1.1 Determine that the hardware and software requirements and feasibility for moving from the existing service provider (legacy provider) to another provider (new provider) has been documented for each cloud computing initiative. 2.4.1.1.1.2 Determine that an alternate service provider for each legacy service provider has been identified and that the feasibility for transferring processes has been evaluated. 2.4.1.1.1.3 Determine if the feasibility analysis includes procedures and time estimates to move large volumes of data, if applicable. 2.4.1.1.1.4 Determine if the portability process has been tested. 2.4.1.1.2 IaaS cloud solutions 2.4.1.1.2.1 Determine if the feasibility analysis of transferring from the IaaS legacy service provider involves any proprietary functions or processes that would preclude or delay the transferring of operations. 2.4.1.1.2.2 Determine if the portability analysis includes processes to protect the intellectual property and data from the legacy service provider once the transfer has been completed. 2.4.1.1.3 PaaS cloud solutions 2.4.1.1.3.1 Determine if the feasibility analysis includes identification of application components and modules that are proprietary and would require special programming during transfer. 2.4.1.1.3.2 Determine if the portability analysis includes: • Translation functions to a new service provider • Interim processing until a new service provider is operational
PO2.1 PO4.1 PO4.2 PO4.4 PO4.5
© 2010 ISACA. All rights reserved. Page 27
x
Monitoring
Information and Communication
Control Activities
Crossreference
Control Environment
COBIT Audit/Assurance Program Step
Risk Assessment
COSO Reference Issue HyperCross- Comments link reference
Monitoring
Information and Communication
Control Activities
Crossreference
Control Environment
COBIT Audit/Assurance Program Step
Risk Assessment
COSO
• Testing of new processes before promotion to a production environment at the new service provider 2.4.1.1.4 SaaS cloud solutions 2.4.1.1.4.1 Determine if the portability analysis includes: • A plan to back up the data in a format that is usable by other applications • Routine backup of data • Identification of custom tools required to process the data and plans to redevelop • Testing of the new service provider’s application and due diligence before conversion 3. OPERATING IN THE CLOUD 3.1 Incident Response, Notification and Remediation Audit/Assurance Objective: Incident notifications, responses, and remediation are documented, timely, address the risk of the incident, escalated as necessary and are formally closed. 3.1.1 Incident Response Control: The contract SLAs describe specific definitions of incidents (data breaches, security violations) and events (suspicious activities) and the actions to be initiated by and the responsibilities of both parties.
DS1.5 DS1.6 DS2.2 DS2.4 DS5.6 DS8.1 DS8.2 DS8.3 DS8.4
3.1.1.1 Obtain and review the SLAs per the contract to determine that incidents and events are clearly defined and responsibilities assigned. 3.1.1.2 Review cooperation agreements, and evaluate the responsibilities for the investigation of incidents. 3.1.1.3 Notification procedures according to local laws are incorporated into the incident and event process. © 2010 ISACA. All rights reserved. Page 28
x
x
Reference Issue HyperCross- Comments link reference
3.1.2 Service Provider Issue Monitoring Control: Issue monitoring processes are implemented and actively used by the service provider to document and report all defined incidents.
3.1.2.1 Obtain and review the service provider’s issue monitoring procedures. 3.1.2.2 Determine if the monitored reporting requirements are aligned with the customer’s incident reporting policy. 3.1.2.3 Obtain the incident monitoring reports for a representative period of time. 3.1.2.3.1 Determine that the: • Customer was notified of the incident within the SLA requirements • Remediation was timely based on the scope and risk of the incident • Remediation was appropriate • Issue was escalated, if appropriate • Issue was closed and the customer notified in a timely manner 3.1.3 Customer Issue Monitoring Control: The customer has established an issue monitoring process to track internal and service provider incidents.
DS1.5 DS1.6 DS2.2 DS2.3 DS2.4 DS5.6 DS8.1 DS8.2 DS8.3 DS8.4
DS5.6 DS8.1 DS8.2 DS8.3 DS8.4 DS8.5 ME2.3
3.1.3.1 Obtain the customer incident monitoring procedure. 3.1.3.2 Determine if the incident monitoring procedure tracks both internal and service provider incidents. 3.1.3.3 Select a sample of incidents, and determine that: • The service provider notified the customer on a timely basis within scope of the © 2010 ISACA. All rights reserved. Page 29
x
x
x
x
Monitoring
x
Information and Communication
Control Activities
Crossreference
Control Environment
COBIT Audit/Assurance Program Step
Risk Assessment
COSO Reference Issue HyperCross- Comments link reference
• • • • • • •
contract. The remediation was timely based on the scope and risk of the incident. The remediation was appropriate. The issue was escalated within the service provider's hierarchy. The issue was closed by the service provider. The issue was monitored and reported to customer management. Customer procedures were modified to recognize the increased risk. Internal customer incidents were recorded by the customer, appropriately reported, remediated and closed.
3.2 Application Security 3.2.1 Application Security Architecture Audit/Assurance Objective: Applications are developed with an understanding of the interdependencies inherent in cloud applications, requiring a risk analysis and design of configuration management and provisioning process that will withstand changing application architectures. 3.2.1.1 Application Security Architecture Control: The design of cloud-based applications includes information security and application security architecture subject matter experts, and the process focuses on the interdependencies inherent in cloud applications. 3.2.1.1.1 Obtain the application design documentation, and review the policies for subject matter expert involvement in the system design. 3.2.1.1.2 Determine that information security and architecture specialists have been fully engaged during the planning and deployment of cloud applications. 3.2.1.1.3 Select recent implementations, and review the project and development plans for evidence of information security and subject matter expert involvement.
AI2.4 DS5.1 DS5.2 DS5.7
x
3.2.1.2 Configuration Management and Provisioning Control: Configuration management and provisioning procedures are segregated from the service provider, limited to a security operations function within the customer’s organization and provide audit trails to document all activities.
DS5.3 DS5.4 DS9.1 DS9.2 DS9.3
x
© 2010 ISACA. All rights reserved. Page 30
Monitoring
Information and Communication
Control Activities
Crossreference
Control Environment
COBIT Audit/Assurance Program Step
Risk Assessment
COSO Reference Issue HyperCross- Comments link reference
3.2.1.2.1 Obtain the configuration management and provisioning security architecture. 3.2.1.2.2 Determine if the service provider is prevented from configuring or provisioning users (both administrative and standard users), which may affect data integrity, access or security. 3.2.1.2.3 Determine if logs and audit trails exist, and record these activities and how they are monitored and reviewed. 3.2.2 Compliance Audit/Assurance Objective: Compliance requirements are an integral component of the design and implementation of the application security architecture. 3.2.2.1 Compliance Control: The SDLC includes processes to ensure compliance requirements are identified, mapped to the cloud-based application, and included in the final product. Compliance gaps are escalated to appropriate senior management for waiver approval. 3.2.2.1.1 Obtain the compliance analysis utilized as the basis for authorizing the initiation of a cloud-based application. 3.2.2.1.2 Determine if a formal compliance review is performed and if senior management authorization is required where internal information security policies require a waiver to allow the implementation of the cloud-based application. 3.2.3 Tools and Services Audit/Assurance Objective: Use of development tools, application management libraries and other software are evaluated to ensure their use will not negatively impact the security of applications. 3.2.3.1 Tools and Services Control: All tools and services used in the development, management and monitoring of applications are itemized and the ownership documented, and their effect on the security of the application is explicitly analyzed. High-risk tools and services are escalated to senior information management for approval. 3.2.3.1.1 Obtain an analysis of tools and services in use.
AI2.3 AI2.4 ME3.1 ME3.2
AI2.5 AI3.2 AI3.3 DS5.1 DS9.1
3.2.3.1.2 Determine if the ownership of each tool and service has been identified. © 2010 ISACA. All rights reserved. Page 31
Monitoring
Information and Communication
Control Activities
Crossreference
Control Environment
COBIT Audit/Assurance Program Step
Risk Assessment
COSO
x
x
x
x
Reference Issue HyperCross- Comments link reference
Monitoring
Information and Communication
Control Activities
Crossreference
Control Environment
COBIT Audit/Assurance Program Step
Risk Assessment
COSO
3.2.3.1.3 Determine if information security risk has been evaluated for each tool and service. If one is deemed a security risk, determine the disposition (escalation, waiver to use or disallow use of software in a cloud environment). 3.2.3.1.4 Examine examples of escalated requests, and determine the adherence to procedures. 3.2.4 Application Functionality Audit/Assurance Objective: For SaaS implementations, the application outsourced to the cloud contains the appropriate functionality and processing controls required by the customer’s control policies within the processing scope (financial, operational, etc.). 3.2.4.1 Application Functionality Control: The application functionality is subject to an assurance review as part of the customer’s application process assurance audit. 3.2.4.1.1 Refer to a standard application audit program for specific steps.
ME2.5 ME2.6
x
x
3.3 Data Security and Integrity 3.3.1 Encryption Audit/Assurance Objective: Data are securely transmitted and maintained to prevent unauthorized access and modification. 3.3.1.1 Data in Transit Control: Data in transit are encrypted over networks with private keys known only to the customer. 3.3.1.1.1 Obtain the encryption policies and procedures for data in transit. 3.3.1.1.2 Evaluate if the encryption processes include the following: • Classification of data traversing cloud networks (top secret, confidential, company confidential, public) • Encryption technologies in use • Key management (see key management analysis in section 3.3.2) • A list of external organizations of the customer that have decryption keys to data in transit
DS5.7 DS5.11 DS11.6
x
3.3.1.2 Data at Rest Control: Data stored in live production databases on cloud systems are encrypted,
DS11.2 DS11.3 DS11.6
x
© 2010 ISACA. All rights reserved. Page 32
x
Reference Issue HyperCross- Comments link reference
with knowledge of the decryption keys limited to the customer. 3.3.1.2.1 Obtain the encryption policies and procedures for data stored on cloud systems. 3.3.1.2.2 For SaaS implementations, determine if the service provider has implemented data at rest encryption. 3.3.1.2.3 Determine if sensitive data need to be exclusively stored on customer systems to satisfy customer policy, regulatory or other compliance requirements. 3.3.1.2.4 Evaluate if the encryption processes include the following: • Classification of data stored on cloud networks (top secret, confidential, company confidential, public) • Encryption technologies in use • Key management (see key management analysis section 3.3.2) • A list of external organizations of the customer that have decryption keys to data at rest 3.3.1.3 Data Backup Control: Data backups are available encrypted.
DS11.2 DS11.3 DS11.5 DS11.6
x
AI7.4 DS11.6
x
3.3.1.3.1 Obtain data backup policies and procedures for data backups of cloudbased data. 3.3.1.3.2 Determine if data are encrypted to prevent unauthorized access and disclosure of confidential data. 3.3.1.3.3 Determine if the encryption key structure provides adequate data confidentiality. 3.3.1.3.4 Assess if backup processes provide the ability to restore configurations and data for a predetermined period to allow for forensic and other evaluation activities. 3.3.1.3.5 Determine if tests of data restoration are performed on a routine basis. 3.3.1.4 Test Data Confidentiality Control: Test data do not contain and are prohibited from using copies of any current or historical production data containing sensitive/confidential information. 3.3.1.4.1 Obtain testing policies and standards.
© 2010 ISACA. All rights reserved. Page 33
Monitoring
Information and Communication
Control Activities
Crossreference
Control Environment
COBIT Audit/Assurance Program Step
Risk Assessment
COSO Reference Issue HyperCross- Comments link reference
3.3.1.4.2 Determine if policies specifically exclude the use of any current or historical production data. 3.3.1.4.3 Perform sampling procedures to determine compliance with the test data prohibition policy. 3.3.2 Key Management Audit/Assurance Objective: Encryption keys are securely protected against unauthorized access, separation of duties exists between the key managers and the hosting organization, and the keys are recoverable. 3.3.2.1 Secure Key Stores Control: The key stores are protected during transmission, storage and back up.
DS5.7 DS5.8 DS5.11
x
3.3.2.1.1 Obtain an understanding of how the key stores are protected. 3.3.2.1.2 Evaluate access controls, transmission controls and backup to ensure that the key stores are in the possession of the key managers. 3.3.2.1.3 Identify potential access breaches to key stores, and identify compensating controls. 3.3.2.2 Access to Key Stores Control: Key stores access is limited to the key managers whose jobs are separated from the process the key stores protect. 3.3.2.2.1 Identify the key store managers. 3.3.2.2.2 Perform a separation of duties analysis to determine the specific functional transactions to which the key store managers have access. 3.3.2.2.3 Evaluate if the positions of key store managers and their access to key stores creates a vulnerability to data confidentiality or integrity. 3.3.2.2.4 Determine if the service provider has access to the keys and has the procedures and oversight to ensure the confidentiality of customer data. 3.3.2.2.5 Determine if appropriate controls protect the keys during generation and disposal.
DS5.7 DS5.8
3.3.2.3 Key Backup and Recoverability Control: Key backup and recoverability have been established and tested to ensure continued access to data keys.
DS4.3 DS4.8 DS4.9 DS5.7 DS5.8
© 2010 ISACA. All rights reserved. Page 34
x
x
Monitoring
Information and Communication
Control Activities
Crossreference
Control Environment
COBIT Audit/Assurance Program Step
Risk Assessment
COSO Reference Issue HyperCross- Comments link reference
3.3.2.3.1 Obtain the backup and recovery policies and procedures. 3.3.2.3.2 Perform a risk assessment, with known vulnerabilities, to determine that the key backups would be available and recovery would be assured. 3.3.2.3.3 Determine if a key recovery test process exists and is routinely executed. 3.3.2.3.4 Review recent key recovery tests. Evaluate the validity of each test, the analysis and remediation process used, and the preparedness for key restoration. 3.4 Identity and Access Management 3.4.1 Identity and Access Management Audit/Assurance Objective: Identity processes assure only authorized users have access to the data and resources, user activities can be audited and analyzed, and the customer has control over access management. 3.4.1.1 Identity Provisioning Control: User provisioning (on-boarding), deprovisioning (termination) and job function changes of cloud-based applications and operating platforms are managed in a timely and controlled manner, according to internal user access policies. 3.4.1.1.1 Obtain internal provisioning/deprovisioning policies. 3.4.1.1.2 Analyze provisioning/deprovisioning policies in relation to the procedures implemented for cloud systems. 3.4.1.1.3 Using the identity management section of the ISACA Identity Management Audit/Assurance Program, identify gaps in controls that require additional focus.
DS5.3 DS5.4
3.4.1.2 Authentication Control: Responsibility for user authentication remains with the customer; single sign on and open authentication (as opposed to service provider proprietary authentication technologies) should be used. 3.4.1.2.1 For SaaS and PaaS, determine if the customer can establish trust between the internal authentication system and the cloud system. 3.4.1.2.2 Determine, where there is an option, that the nonproprietary authentication process has been implemented at the service provider. 3.4.1.2.3 If a proprietary authentication process is the only option, determine if
PO3.4 DS5.3 DS5.4
© 2010 ISACA. All rights reserved. Page 35
x
x
Monitoring
Information and Communication
Control Activities
Crossreference
Control Environment
COBIT Audit/Assurance Program Step
Risk Assessment
COSO Reference Issue HyperCross- Comments link reference
appropriate controls are in place to: • Prevent shared user IDs • Provide adequate separation of duties to prevent service provider staff from obtaining customer identities • Provide forensic and logging functions to provide history of activities • Provide monitoring functions to alert customer of unauthorized authentication activities 3.4.1.2.4 For IaaS: • If dedicated VPNs are implemented between the service provider and customer installations, determine if the users are authenticated at the customer network before passing transactions through the VPN. Dedicated VPNs are implemented between the service provider and customer installations to authenticate users at the customer network before passing transactions along through the VPN. • Where a dedicated VPN is not feasible, determine if recognized standard authentication formats are in use (e.g., SAML, WSFederation) in conjunction with SSL. 3.4.1.2.5 For IaaS and private, internal cloud deployments, verify that third-party access control solutions operate effectively in virtualized and cloud environments and that event data can be aggregated and correlated effectively for management review. 3.4.1.2.6 Using the authentication section of the ISACA Identity Management Audit/Assurance Program, identify gaps in controls that require additional focus. 2 3.5 Virtualization 3.5.1 Virtualization Audit/Assurance Objective: Virtualization operating systems are hardened to prevent cross-contamination with other customer environments. 3.5.1.1 Virtualization Control: Operating system isolation and security controls are implemented by the 2
DS2.4 DS5.5
x
ISACA is developing an audit/assurance program on the topic of virtualization, which is scheduled to be issued by the end of 2010. © 2010 ISACA. All rights reserved. Page 36
Monitoring
Information and Communication
Control Activities
Crossreference
Control Environment
COBIT Audit/Assurance Program Step
Risk Assessment
COSO Reference Issue HyperCross- Comments link reference
service provider to prevent unauthorized access and attacks.
DS9.2 DS9.3
3.5.1.1.1 Identify the virtual machine configuration in place. 3.5.1.1.2 Determine if additional controls have been implemented, including the following: • Intrusion detection • Malware prevention • Vulnerability scanning • Baseline management and analysis • Virtual machine image validation prior to placement in production • Preclude bypassing security mechanisms by the identification of security-related APIs in use • Separate production and testing environments • Internal organization identity management for administrative access • Timely isolation intrusion reporting
© 2010 ISACA. All rights reserved. Page 37
Monitoring
Information and Communication
Control Activities
Crossreference
Control Environment
COBIT Audit/Assurance Program Step
Risk Assessment
COSO Reference Issue HyperCross- Comments link reference
VII. Maturity Assessment The maturity assessment is an opportunity to assess the maturity of the processes reviewed. Based on the results of the audit/assurance review and the reviewer’s observations, assign a maturity level to each of the following COBIT control practices. The assessment should be limited to the control practices related directly to cloud computing implementation and should be applicable to the service provider and customer for the previously mentioned control criteria. Assessed Target Maturity Maturity
COBIT Control Objectives DS1 Define and Management Service Levels Effective communication between IT management and business customers regarding services required is enabled by a documented definition of and agreement on IT services and service levels. This process also includes monitoring and timely reporting to stakeholders on the accomplishment of service levels. This process enables alignment between IT services and the related business requirements. DS1.1 Service level management framework—Define a framework that provides a formalised service level management process between the customer and service provider. The framework should maintain continuous alignment with business requirements and priorities and facilitate common understanding between the customer and provider(s). DS1.2 Definition of services—Base definitions of IT services on service characteristics and business requirements. Ensure that they are organised and stored centrally via the implementation of a service catalogue portfolio approach. DS1.3 Service level agreements—Define and agree to SLAs for all critical IT services based on customer requirements and IT capabilities. This should cover customer commitments; service support requirements; quantitative and qualitative metrics for measuring the service signed off on by the stakeholders; funding and commercial arrangements, if applicable; and roles and responsibilities, including oversight of the SLA. DS1.5 Monitoring and reporting of service level achievements—Continuously monitor specified service level performance criteria. DS1.6 Review of service level agreements and contracts—Regularly review SLAs and underpinning contracts (UCs) with internal and external service providers to ensure that they are effective and up to date and those changes in requirements have been taken into account. DS2 Manage Third-party Services The need to assure that services provided by third parties (suppliers, vendors and partners) meet business requirements requires an effective third-party management process. This process is accomplished by clearly defining the roles, responsibilities and expectations in third-party agreements as well as reviewing and monitoring such agreements for effectiveness
© 2010 ISACA. All rights reserved. Page 38
Reference Hyperlink
Comments
COBIT Control Objectives and compliance. Effective management of third-party services minimises the business risk associated with non-performing suppliers. DS2.2 Supplier relationship management—Formalise the supplier relationship management process for each supplier. The relationship owners should liaise on customer and supplier issues and ensure the quality of the relationship based on trust and transparency (e.g., through SLAs). DS2.3 Supplier risk management—Identify and mitigate risks relating to suppliers’ ability to continue effective service delivery in a secure and efficient manner on a continual basis. Ensure that contracts conform to universal business standards in accordance with legal and regulatory requirements. DS2.4 Supplier performance monitoring—Establish a process to monitor service delivery to ensure that the supplier is meeting current business requirements and continuing to adhere to the contract agreements and SLAs, and that performance is competitive with alternative suppliers and market conditions.
Assessed Target Maturity Maturity
DS4 Ensure Continuous Service The need for providing continuous IT services requires developing, maintaining and testing IT continuity plans, utilising offsite backup storage and providing periodic continuity plan training. An effective continuous service process minimises the probability and impact of a major IT service interruption on key business functions and processes. DS4.2 IT continuity plans—Develop IT continuity plans based on the framework and designed to reduce the impact of a major disruption on key business functions and processes. The plans should be based on risk understanding of potential business impacts and address requirements for resilience, alternative processing and recovery capability of all critical IT services. DS4.4 Maintenance of the IT continuity plan—Encourage IT management to define and execute change control procedures to ensure that the IT continuity plan is kept up to date and continually reflects actual business requirements. DS4.5 Testing of the IT continuity plan—Test the IT continuity plan on a regular basis to ensure that IT systems can be effectively recovered, shortcomings are addressed and the plan remains relevant. DS4.8 IT services recovery and resumption—Plan the actions to be taken for the period when IT is recovering and resuming services. DS4.9 Offsite backup storage—Store offsite all critical backup media, documentation and other IT resources necessary for IT recovery and business continuity plans. DS5 Ensure Systems Security The need to maintain the integrity of information and protect IT assets requires a security management process. This process includes establishing and maintaining IT security roles and © 2010 ISACA. All rights reserved. Page 39
Reference Hyperlink
Comments
COBIT Control Objectives responsibilities, policies, standards, and procedures. Security management also includes performing security monitoring and periodic testing and implementing corrective actions for identified security weaknesses or incidents. DS5.1 Management of IT security—Manage IT security at the highest appropriate organisational level, so the management of security actions is in line with business requirements. DS5.2 IT security plan—Translate business, risk and compliance requirements into an overall IT security plan, taking into consideration the IT infrastructure and the security culture. Ensure that the plan is implemented in security policies and procedures together with appropriate investments in services, personnel, software and hardware. Communicate security policies and procedures to stakeholders and users. DS5.3 Identity management—Ensure that all users (internal, external and temporary) and their activity on IT systems (business application, IT environment, system operations, development and maintenance) are uniquely identifiable. Enable user identities via authentication mechanisms. Confirm that user access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities. Ensure that user access rights are requested by user management, approved by system owners and implemented by the security-responsible person. Maintain user identities and access rights in a central repository. Deploy cost-effective technical and procedural measures, and keep them current to establish user identification, implement authentication and enforce access rights. DS5.4 User account management—Address requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges with a set of user account management procedures. Include an approval procedure outlining the data or system owner granting the access privileges. These procedures should apply for all users, including administrators (privileged users) and internal and external users, for normal and emergency cases. Rights and obligations relative to access to enterprise systems and information should be contractually arranged for all types of users. DS5.5 Security testing, surveillance and monitoring—Test and monitor the IT security implementation in a proactive way. IT security should be reaccredited in a timely manner to ensure that the approved enterprise’s information security baseline is maintained. DS5.6 Security incident definition—Clearly define and communicate the characteristics of potential security incidents so they can be properly classified and treated by the incident and problem management process. DS5.7 Protection of security technology—Make security-related technology resistant to tampering, and do not disclose security documentation unnecessarily. DS5.8 Cryptographic key management—Determine that policies and procedures are in place to
Assessed Target Maturity Maturity
© 2010 ISACA. All rights reserved. Page 40
Reference Hyperlink
Comments
COBIT Control Objectives organize the generation, change, revocation, destruction, distribution, certification, storage, entry, use and archiving of cryptographic keys to ensure the protection of keys against modification and unauthorised disclosure. DS5.10 Network security—Use security techniques and related management procedures (e.g., firewalls, security appliances, network segmentation, intrusion detection) to authorize access and control information flows from and to networks. DS5.11 Exchange of sensitive data—Exchange sensitive transaction data only over a trusted path or medium with controls to provide authenticity of content, proof of submission, proof of receipt and non-repudiation of origin.
Assessed Target Maturity Maturity
DS8 Manage Service Desk and Incidents Timely and effective response to IT user queries and problems requires a well-designed and well-executed service desk and incident management process. This process includes setting up a service desk function with registration, incident escalation, trend and root cause analysis, and resolution. The business benefits include increased productivity through quick resolution of user queries. In addition, the business can address root causes (such as poor user training) through effective reporting. DS8.1 Service desk—Establish a service desk function, which is the user interface with IT, to register, communicate, dispatch and analyze all calls, reported incidents, service requests and information demands. There should be monitoring and escalation procedures based on agreedupon service levels relative to the appropriate SLA that allow classification and prioritization of any reported issue as an incident, service request or information request DS8.2 Registration of customer queries—Establish a function and system to allow logging and tracking of calls, incidents, service requests and information needs. It should work closely with suchprocesses as incident management, problem management, change management, capacity management and availability management. Incidents should be classified according to a business and service priority and routed to the appropriate problem management team, where necessary. DS8.3 Incident escalation—Establish service desk procedures, so incidents that cannot be resolved immediately are appropriately escalated according to limits defined in the SLA and, if appropriate, workarounds are provided. DS8.4 Incident closure—Establish procedures for the monitoring of timely clearance of customer queries. When the incident has been resolved, ensure that the service desk records the resolution steps, and confirm that the action taken has been agreed to by the customer. Also record and report unresolved incidents (known errors and workarounds) to provide information for proper problem management. DS8.5 Reporting and trend analysis—Produce reports of service desk activity to enable © 2010 ISACA. All rights reserved. Page 41
Reference Hyperlink
Comments
COBIT Control Objectives management to measure service performance and service response times and to identify trends or recurring problems, so service can be continually improved.
Assessed Target Maturity Maturity
DS9 Manage the Configuration Ensuring the integrity of hardware and software configurations requires the establishment and maintenance of an accurate and complete configuration repository. This process includes collecting initial configuration information, establishing baselines, verifying and auditing configuration information, and updating the configuration repository as needed. DS9.1 Configuration repository and baseline—Establish a supporting tool and a central repository to contain all relevant information on configuration items. Monitor and record all assets and changes to assets. Maintain a baseline of configuration items for every system and service as a checkpoint to which to return after changes. DS9.2 Identification and maintenance of configuration items—Establish configuration procedures to support management and logging of all changes to the configuration repository. Integrate these procedures with change management, incident management and problem management procedures. DS11 Manage Data Effective data management requires identifying data requirements. The data management process also includes the establishment of effective procedures to manage the media library, backup and recovery of data, and proper disposal of media. DS11.2 Storage and retention arrangements—Define and implement procedures for effective and efficient data storage, retention and archiving to meet business objectives, the organization’s security policy and regulatory requirements. DS11.3 Media library management system—Define and implement procedures to maintain an inventory of stored and archived media to ensure their usability and integrity. DS11.4 Disposal—Define and implement procedures to ensure that business requirements for protection of sensitive data and software are met when data and hardware are disposed or transferred. DS11.5 Backup and restoration—Define and implement procedures for backup and restoration of systems, applications, data and documentation in line with business requirements and the continuity plan. DS11.6 Security requirements for data management—Define and implement policies and procedures to identify and apply security requirements applicable to the receipt, processing, storage and output of data to meet business objectives, the organisation’s security policy and regulatory requirements. © 2010 ISACA. All rights reserved. Page 42
Reference Hyperlink
Comments
Assessed Target Maturity Maturity
COBIT Control Objectives ME2 Monitor and Evaluate Internal Control Establishing an effective internal control program for IT requires a well-defined monitoring process. This process includes the monitoring and reporting of control exceptions, results of self-assessments and third-party reviews. ME2.5 Assurance of internal control—Obtain, as needed, further assurance of the completeness and effectiveness of internal controls through third-party reviews. ME2.6 Internal control at third parties—Assess the status of external service providers’ internal controls. Confirm that external service providers comply with legal and regulatory requirements and contractual obligations. ME3 Ensure Compliance With External Requirements Effective oversight of compliance requires the establishment of a review process to ensure compliance with laws, regulations and contractual requirements. This process includes identifying compliance requirements, optimising and evaluating the response, obtaining assurance that the requirements have been complied with and, finally, integrating IT’s compliance reporting with the rest of the business. ME3.1 Identification of external legal, regulatory and contractual compliance requirements— Identify, on a continuous basis, local and international laws, regulations, and other external requirements that must be complied with for incorporation into the organisation’s IT policies, standards, procedures and methodologies. ME3.3 Evaluation of compliance with regulatory requirements—Confirm compliance of IT policies, standards, procedures and methodologies with legal and regulatory requirements. ME3.4 Positive assurance of compliance—Obtain and report assurance of compliance and adherence to all internal policies derived from internal directives or external legal, regulatory or contractual requirements, confirming that any corrective actions to address any compliance gaps have been taken by the responsible process owner in a timely manner.
© 2010 ISACA. All rights reserved. Page 43
Reference Hyperlink
Comments
VIII. Assessment Maturity vs. Target Maturity This spider graph is an example of the assessment results and maturity target for a specific company.
DS5.1 Management of IT Security
5 DS5.11 Exchange of Sensitive Data
DS5.2 IT Security Plan
4 3 DS5.10 Network Security
DS5.3 Identity Management
2 1 0
DS5.9 Malicious Software Prevention, Dectection and Correction
DS5.4 User Account Management
DS5.8 Cryptographic Key Management
DS5.5 Security Testing, Surveillance and Monitoring
DS5.7 Protection of Security Technology
Assessment DS5.6 Security Incident Definition
© 2010 ISACA. All rights reserved. Page 44
Target
IT Continuity Planning Audit/Assurance Program ISACA® With more than 86,000 constituents in more than 160 countries, ISACA (www.isaca.org) is a recognized worldwide leader in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors international conferences, publishes the ISACA Journal®, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor™ (CISA®) designation, earned by more than 60,000 professionals since 1978; the Certified Information Security Manager® (CISM®) designation, earned by more than 10,000 professionals since 2002; and the new Certified in the Governance of Enterprise IT™ (CGEIT™) designation. Disclaimer ISACA has designed and created IT Continuity Planning Audit/Assurance Program (the “Work”), primarily as an informational resource for audit and assurance professionals. ISACA makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, audit/assurance professionals should apply their own professional judgment to the specific circumstances presented by the particular systems or IT environment. Reservation of Rights © 2009 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of all or portions of this publication are permitted solely for academic, internal and noncommercial use, and consulting/advisory engagements, and must include full attribution of the material’s source. No other right or permission is granted with respect to this work. ISACA 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Phone: +1.847.253.1545 Fax: +1.847.253.1443 E-mail: [email protected] Web site: www.isaca.org
ISBN 978-1-60420-079-9 IT Continuity Planning Audit/Assurance Program Printed in the United States of America
ISACA wishes to recognize: Author Norm Kelson, CISA, CGEIT, CPA, The Kelson Group, USA © 2009 ISACA. All rights reserved. Page 2
IT Continuity Planning Audit/Assurance Program
Expert Reviewers José Manuel Ballester Fernández, Ph.D., CISA, CISM, CGEIT, IEEE, IT Deusto, Spain Dinesh O. Bareja, CISA, India Robert B. Brenis, CISA, CGEIT, MCP, PMP, Skoda Minotti, USA Rafael Eduardo Fabius, CISA, Republica AFAP SA, Uruguay Anuj Goel, Ph.D., CISA, CISSP, Citigroup Inc., USA Samuel Chiedozie Isichei, CISA, CISM, CISSP, Protiviti, USA Kathy A. Rogers, CISA, USA ISACA Board of Directors Lynn Lawton, CISA, FBCS, FCA, FIIA, KPMG LLP, UK, International President George Ataya, CISA, CISM, CGEIT, CISSP, ICT Control SA, Belgium, Vice President Howard Nicholson, CISA, CGEIT, City of Salisbury, Australia, Vice President Jose Angel Pena Ibarra, CGEIT, Consultoria en Comunicaciones e Info. SA & CV, Mexico, Vice President Robert E. Stroud, CA Inc., USA, Vice President Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Vice President Frank Yam, CISA, CIA, CCP, CFE, CFSA, FFA, FHKCS, FHKIoD, Focus Strategic Group Inc., Hong Kong, Vice President Marios Damianides, CISA, CISM, CA, CPA, Ernst & Young, USA, Past International President Everett C. Johnson Jr., CPA, Deloitte & Touche LLP (retired), USA, Past International President Gregory T. Grocholski, CISA, The Dow Chemical Company, USA, Director Tony Hayes, Queensland Government, Australia, Director Jo Stewart-Rattray, CISA, CISM, CSEPS, RSM Bird Cameron, Australia, Director Assurance Committee Gregory T. Grocholski, CISA, The Dow Chemical Company, USA, Chair Pippa G. Andrews, CISA, ACA, CIA, Amcor, Australia Richard Brisebois, CISA, CGA, Office of the Auditor General of Canada, Canada Sergio Fleginsky, CISA, ICI, Uruguay Robert Johnson, CISA, CISM, CISSP, Executive Consultant, USA Anthony P. Noble, CISA, CCP, Viacom Inc., USA Robert G. Parker, CISA, CA, CMC, FCA, Deloittte & Touche LLP (retired), Canada Erik Pols, CISA, CISM, Shell International - ITCI, Netherlands Vatsaraman Venkatakrishnan, CISA, CISM, CGEIT, ACA, Emirates Airlines, UAE
© 2009 ISACA. All rights reserved. Page 3
IT Continuity Planning Audit/Assurance Program
Table of Contents I. II. III. IV. V. VI.
Introduction ......................................................................................................................................... 4 Using This Document ......................................................................................................................... 5 Controls Maturity Analysis ................................................................................................................. 8 Assurance and Control Framework..................................................................................................... 9 Executive Summary of Audit/Assurance Focus ............................................................................... 11 Audit/Assurance Program ................................................................................................................. 13 1. Planning and Scoping the Audit.................................................................................................... 13 2. Continuity Framework and Policy ................................................................................................ 17 3. Business Assessment of Contingency Planning Requirements .................................................... 18 4. Integration of Business Continuity and IT Continuity Plans ........................................................ 20 5. IT Continuity Plan......................................................................................................................... 20 VII. Maturity Assessment ......................................................................................................................... 31 VIII. Assessment Maturity vs. Target Maturity ......................................................................................... 36
I. Introduction Overview
ISACA has developed the IT Assurance Framework (ITAFTM) as a comprehensive and good-practicesetting model. ITAF provides standards that are designed to be mandatory, and are the guiding principles under which the IT audit and assurance profession operates. The guidelines provide information and direction for the practice of IT audit and assurance. The tools and techniques provide methodologies, tools and templates to provide direction in the application of IT audit and assurance processes.
Purpose The audit/assurance program is a tool and template to be used as a road map for the completion of a specific assurance process. ISACA’s Assurance Committee has commissioned audit/assurance programs to be developed for use by IT audit and assurance practitioners. This audit/assurance program is intended to be utilized by IT audit and assurance professionals with the requisite knowledge of the subject matter under review, as described in ITAF, in section 2200—General Standards. The audit/assurance programs are part of ITAF, section 4000—IT Assurance Tools and Techniques.
Control Framework
The audit/assurance programs have been developed in alignment with the IT Governance Institute® (ITGI™) framework Control Objectives for Information and related Technology (COBIT ®)— specifically COBIT 4.1—using generally applicable and accepted good practices. They reflect ITAF sections 3400—IT Management Processes, 3600—IT Audit and Assurance Processes, and 3800—IT Audit and Assurance Management. Many organizations have embraced several frameworks at an enterprise level, including the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Framework. The importance of the control framework has been enhanced due to regulatory requirements by the US Securities and Exchange Commission (SEC) as directed by the US SarbanesOxley Act of 2002 and similar legislation in other countries. They seek to integrate control framework elements used by the general audit/assurance team into the IT audit and assurance framework. Since COSO is widely used, it has been selected for inclusion in this audit/assurance program. The reviewer may delete or rename these columns to align with the enterprise’s control framework.
© 2009 ISACA. All rights reserved. Page 4
IT Continuity Planning Audit/Assurance Program
IT Governance, Risk and Control IT governance, risk and control are critical in the performance of any assurance management process. Governance of the process under review will be evaluated as part of the policies and management oversight controls. Risk plays an important role in evaluating what to audit and how management approaches and manages risk. Both issues will be evaluated as steps in the audit/assurance program. Controls are the primary evaluation point in the process. The audit/assurance program will identify the control objectives and the steps to determine control design and effectiveness.
Responsibilities of IT Audit and Assurance Professionals IT audit and assurance professionals are expected to customize this document to the environment in which they are performing an assurance process. This document is to be used as a review tool and starting point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or questionnaire. It is assumed that the IT audit and assurance professional holds the Certified Information Systems Auditor (CISA) designation, or has the necessary subject matter expertise required to conduct the work and is supervised by a professional with the CISA designation and/or necessary subject matter expertise to adequately review the work performed.
II. Using This Document This audit/assurance program was developed to assist the audit and assurance professional in designing and executing a review. Details regarding the format and use of the document follow.
Work Program Steps The first column of the program describes the steps to be performed. The numbering scheme used provides built-in work paper numbering for ease of cross-reference to the specific work paper for that section. The physical document was designed in Microsoft® Word. The IT audit and assurance professional is encouraged to make modifications to this document to reflect the specific environment under review. Step 1 is part of the fact gathering and pre-fieldwork preparation. Because the pre-fieldwork is essential to a successful and professional review, the steps have been itemized in this plan. The first level steps, e.g,, 1.1, are in bold type and provide the reviewer with a scope or high-level explanation of the purpose for the substeps. Beginning in step 2, the steps associated with the work program are itemized. To simplify the use of the program, the audit/assurance program describes the audit/assurance objective—the reason for performing the steps in the topic area. The specific controls follow and are shown in blue type. Each review step is listed below the control. These steps may include assessing the control design by walking through a process, interviewing, observing or otherwise verifying the process and the controls that address that process. In many cases, once the control design has been verified, specific tests need to be performed to provide assurance that the process associated with the control is being followed. The maturity assessment, which is described in more detail later in this document, makes up the last section of the program. The audit/assurance plan wrap-up—those processes associated with the completion and review of work papers, preparation of issues and recommendations, report writing and report clearing—has been excluded from this document, since it is standard for the audit/assurance function and should be identified elsewhere in the enterprise’s standards.
COBIT Cross-reference The COBIT cross-reference provides the audit and assurance professional with the ability to refer to the specific COBIT control objective that supports the audit/assurance step. The COBIT control objective should be identified for each audit/assurance step in the section. Multiple cross-references © 2009 ISACA. All rights reserved. Page 5
IT Continuity Planning Audit/Assurance Program are not uncommon. Processes at lower levels in the work program are too granular to be crossreferenced to COBIT. The audit/assurance program is organized in a manner to facilitate an evaluation through a structure parallel to the development process. COBIT provides in-depth control objectives and suggested control practices at each level. As the professional reviews each control, he/she should refer to COBIT 4.1 or the IT Assurance Guide: Using COBIT for good-practice control guidance.
COSO Components As noted in the introduction, COSO and similar frameworks have become increasingly popular among audit/assurance professionals. This ties the assurance work to the enterprise’s control framework. While the IT audit/assurance function uses COBIT as a framework, operational audit and assurance professionals use the framework established by the enterprise. Since COSO is the most prevalent internal control framework, it has been included in this document and is a bridge to align IT audit/assurance with the rest of the audit/assurance function. Many audit/assurance organizations include the COSO control components within their report, and summarize assurance activities to the audit committee of the board of directors. For each control, the audit and assurance professional should indicate the COSO component(s) addressed. It is possible, but generally not necessary, to extend this analysis to the specific audit step level. The original COSO internal control framework contained five components. In 2004, COSO was revised as the Enterprise Risk Management (ERM) Integrated Framework and extended to eight components. The primary difference between the two frameworks is the additional focus on ERM and integration into the business decision model. ERM is in the process of being adopted by large enterprises. The two frameworks are compared in figure 1. Figure 1—Comparison of COSO Internal Control and ERM Integrated Frameworks Internal Control Framework ERM Integrated Framework Control Environment: The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, management’s operating style, delegation of authority systems, as well as the processes for managing and developing people in the organization.
Risk Assessment: Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, and, thus, risk assessment is the identification and analysis of relevant risks to achievement of assigned objectives. Risk assessment is a prerequisite for determining how the risks should be managed.
Control Activities: Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.
Internal Environment: The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.
Objective Setting: Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite. Event Identification: Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes. Risk Assessment: Risks are analyzed, considering the likelihood and impact, as a basis for determining how they could be managed. Risk areas are assessed on an inherent and residual basis.
Risk Response: Management selects risk responses—avoiding, accepting, reducing or sharing risk—developing a set of actions to align risks with the entity’s risk tolerances and risk appetite. Control Activities: Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
© 2009 ISACA. All rights reserved. Page 6
IT Continuity Planning Audit/Assurance Program Figure 1—Comparison of COSO Internal Control and ERM Integrated Frameworks Internal Control Framework ERM Integrated Framework Information and Communication: Information systems play a key role in internal control systems as they produce reports, including operational, financial and compliance-related information that make it possible to run and control the business. In a broader sense, effective communication must ensure information flows down, across and up the organization. Effective communication should also be ensured with external parties, such as customers, suppliers, regulators and shareholders. Monitoring: Internal control systems need to be monitored—a process that assesses the quality of the system’s performance over time. This is accomplished through ongoing monitoring activities or separate evaluations. Internal control deficiencies detected through these monitoring activities should be reported upstream and corrective actions should be taken to ensure continuous improvement of the system.
Information and Communication: Relevant information is identified, captured and communicated in a form and time frame that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across and up the entity.
Monitoring: The entirety of enterprise risk management is monitored and modifications are made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations or both.
Information for figure 1 was obtained from the COSO web site www.coso.org/aboutus.htm.
The original COSO internal control framework addresses the needs of the IT audit and assurance professional: control environment, risk assessment, control activities, information and communication, and monitoring. As such, ISACA has elected to utilize the five-component model for these audit/ assurance programs. As more enterprises implement the ERM model, the additional three columns can be added, if relevant. When completing the COSO component columns, consider the definitions of the components as described in figure 1.
Reference/Hyperlink Good practices require the audit and assurance professional to create a work paper for each line item, which describes the work performed, issues identified and conclusions. The reference/hyperlink is to be used to cross-reference the audit/assurance step to the work paper that supports it. The numbering system of this document provides a ready numbering scheme for the work papers. If desired, a link to the work paper can be pasted into this column.
Issue Cross-reference This column can be used to flag a finding/issue that the IT audit and assurance professional wants to further investigate or establish as a potential finding. The potential findings should be documented in a work paper that indicates the disposition of the findings (formally reported, reported as a memo or verbal finding, or waived).
Comments The comments column can be used to indicate the waiving of a step or other notations. It is not to be used in place of a work paper describing the work performed.
© 2009 ISACA. All rights reserved. Page 7
IT Continuity Planning Audit/Assurance Program
III. Controls Maturity Analysis One of the consistent requests of stakeholders who have undergone IT audit/assurance reviews is a desire to understand how their performance compares to good practices. Audit and assurance professionals must provide an objective basis for the review conclusions. Maturity modeling for management and control over IT processes is based on a method of evaluating the enterprise, so it can be rated from a maturity level of nonexistent (0) to optimized (5). This approach is derived from the maturity model that the Software Engineering Institute (SEI) of Carnegie Mellon University defined for the maturity of software development. The IT Assurance Guide Using COBIT, Appendix VII—Maturity Model for Internal Control, in figure 2, provides a generic maturity model showing the status of the internal control environment and the establishment of internal controls in an enterprise. It shows how the management of internal control, and an awareness of the need to establish better internal controls, typically develops from an ad hoc to an optimized level. The model provides a high-level guide to help COBIT users appreciate what is required for effective internal controls in IT and to help position their enterprise on the maturity scale. Maturity Level 0 Non-existent
1 Initial/ad hoc
2 Repeatable but Intuitive
3 Defined
4 Managed and Measurable
5 Optimized
Figure 2—Maturity Model for Internal Control Status of the Internal Control Environment Establishment of Internal Controls There is no recognition of the need for internal control. Control is not part of the organization’s culture or mission. There is a high risk of control deficiencies and incidents. There is some recognition of the need for internal control. The approach to risk and control requirements is ad hoc and disorganized, without communication or monitoring. Deficiencies are not identified. Employees are not aware of their responsibilities. Controls are in place but are not documented. Their operation is dependent on the knowledge and motivation of individuals. Effectiveness is not adequately evaluated. Many control weaknesses exist and are not adequately addressed; the impact can be severe. Management actions to resolve control issues are not prioritized or consistent. Employees may not be aware of their responsibilities. Controls are in place and adequately documented. Operating effectiveness is evaluated on a periodic basis and there is an average number of issues. However, the evaluation process is not documented. While management is able to deal predictably with most control issues, some control weaknesses persist and impacts could still be severe. Employees are aware of their responsibilities for control. There is an effective internal control and risk management environment. A formal, documented evaluation of controls occurs frequently. Many controls are automated and regularly reviewed. Management is likely to detect most control issues, but not all issues are routinely identified. There is consistent follow-up to address identified control weaknesses. A limited, tactical use of technology is applied to automate controls.
An enterprisewide risk and control program provides continuous and effective control and risk issues resolution. Internal control and risk management are integrated with enterprise practices, supported with automated real-time monitoring with full accountability for control monitoring, risk management and compliance enforcement. Control evaluation is continuous, based on self-assessments and gap and root cause analyses. Employees are proactively involved in control improvements.
There is no intent to assess the need for internal control. Incidents are dealt with as they arise. There is no awareness of the need for assessment of what is needed in terms of IT controls. When performed, it is only on an ad hoc basis, at a high level and in reaction to significant incidents. Assessment addresses only the actual incident. Assessment of control needs occurs only when needed for selected IT processes to determine the current level of control maturity, the target level that should be reached and the gaps that exist. An informal workshop approach, involving IT managers and the team involved in the process, is used to define an adequate approach to controls for the process and to motivate an agreed-upon action plan. Critical IT processes are identified based on value and risk drivers. A detailed analysis is performed to identify control requirements and the root cause of gaps and to develop improvement opportunities. In addition to facilitated workshops, tools are used and interviews are performed to support the analysis and ensure that an IT process owner owns and drives the assessment and improvement process. IT process criticality is regularly defined with full support and agreement from the relevant business process owners. Assessment of control requirements is based on policy and the actual maturity of these processes, following a thorough and measured analysis involving key stakeholders. Accountability for these assessments is clear and enforced. Improvement strategies are supported by business cases. Performance in achieving the desired outcomes is consistently monitored. External control reviews are organized occasionally. Business changes consider the criticality of IT processes and cover any need to reassess process control capability. IT process owners regularly perform self-assessments to confirm that controls are at the right level of maturity to meet business needs and they consider maturity attributes to find ways to make controls more efficient and effective. The organization benchmarks to external best practices and seeks external advice on internal control effectiveness. For critical processes, independent reviews take place to provide assurance that the controls are at the desired level of maturity and working as planned.
The maturity model evaluation is one of the final steps in the evaluation process. The IT audit and assurance professional can address the key controls within the scope of the work program and formulate an objective assessment of the maturity levels of the control practices. The maturity assessment can be a part of the audit/assurance report and can be used as a metric from year to year to © 2009 ISACA. All rights reserved. Page 8
IT Continuity Planning Audit/Assurance Program document progression in the enhancement of controls. However, it must be noted that the perception as to the maturity level may vary between the process/IT asset owner and the auditor. Therefore, an auditor should obtain the concerned stakeholder’s concurrence before submitting the final report to management. At the conclusion of the review, once all findings and recommendations are completed, the professional assesses the current state of the COBIT control framework, and assigns it a maturity level using the six-level scale. Some practitioners utilize decimals (x.25, x.5, x.75) to indicate gradations in the maturity model. As a further reference, COBIT provides a definition of the maturity designations by control objective. While this approach is not mandatory, the process is provided as a separate section at the end of the audit/assurance program for those enterprises that wish to implement it. It is suggested that a maturity assessment be made at the COBIT control level. To provide further value to the client/customer, the professional can also obtain maturity targets from the client/customer. Using the assessed and target maturity levels, the professional can create an effective graphic presentation that describes the achievement or gaps between the actual and targeted maturity goals. A graphic is provided as the last page of the document (section VIII), based on sample assessments.
IV. Assurance and Control Framework ISACA IT Assurance Framework and Standards The following ITAF sections are relevant to IT continuity planning: • 3630.2—Information Resource Planning • 3630.3—IT Service Delivery • 3630.4—Information Systems Operations • 3630.6—Outsourced and Third-party IT Activities • 3630.8—Systems Development Life Cycle • 3630.9—Business Continuity Plan and Disaster Recovery Plan ISACA has long recognized the specialized nature of IT assurance and strives to advance globally applicable standards. Guidelines and procedures provide detailed guidance on how to follow those standards. IS Auditing Guideline G32 Business Continuity Plan Review From IT Perspective is relevant to this audit/assurance program.
ISACA Controls Framework COBIT is an IT governance framework and supporting tool set that allows managers to bridge the gap among control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout enterprises. Utilizing COBIT as the control framework from which IT audit/assurance activities are based aligns IT audit/assurance with good practices as developed by the enterprise. The COBIT IT process, DS4 Ensure continuous service, from the Deliver and Support (DS) domain, addresses good practices for ensuring continuous service. The COBIT areas for this evaluation include: • DS4 Ensure continuous service—The need for providing continuous IT services requires developing, maintaining and testing IT continuity plans, utilizing offsite backup storage and providing periodic continuity plan training. An effective continuous service process minimizes the probability and impact of a major IT service interruption on key business functions and processes. • DS4.1 IT continuity framework—Develop a framework for IT continuity to support enterprisewide business continuity management using a consistent process. The objective of the framework should be to assist in determining the required resilience of the infrastructure and to drive the development of disaster recovery and IT contingency plans. The framework should address the organizational structure for continuity management, covering the roles, tasks and responsibilities of internal and external service providers, their management and their customers,
© 2009 ISACA. All rights reserved. Page 9
IT Continuity Planning Audit/Assurance Program
•
•
•
•
•
•
•
•
•
and the planning processes that create the rules and structures to document, test and execute the disaster recovery and IT contingency plans. The plan should also address items such as the identification of critical resources, noting key dependencies, the monitoring and reporting of the availability of critical resources, alternative processing, and the principles of backup and recovery. DS4.2 IT continuity plans—Develop IT continuity plans based on the framework and designed to reduce the impact of a major disruption on key business functions and processes. The plans should be based on risk understanding of potential business impacts and address requirements for resilience, alternative processing and recovery capability of all critical IT services. They should also cover usage guidelines, roles and responsibilities, procedures, communication processes, and the testing approach. DS4.3 Critical IT resources—Focus attention on items specified as most critical in the IT continuity plan to build in resilience and establish priorities in recovery situations. Avoid the distraction of recovering less-critical items and ensure response and recovery in line with prioritized business needs, while ensuring that costs are kept at an acceptable level and complying with regulatory and contractual requirements. Consider resilience, response and recovery requirements for different tiers, e.g., one to four hours, four to 24 hours, more than 24 hours and critical business operational periods. DS4.4 Maintenance of the IT continuity plan—Encourage IT management to define and execute change control procedures to ensure that the IT continuity plan is kept up to date and continually reflects actual business requirements. Communicate changes in procedures and responsibilities clearly and in a timely manner. DS4.5 Testing of the IT continuity plan—Test the IT continuity plan on a regular basis to ensure that IT systems can be effectively recovered, shortcomings are addressed and the plan remains relevant. This requires careful preparation, documentation, reporting of test results and, according to the results, implementation of an action plan. Consider the extent of testing recovery of single applications to integrated testing scenarios to end-to-end testing and integrated vendor testing. DS4.6 IT continuity plan training—Provide all concerned parties with regular training sessions regarding the procedures and their roles and responsibilities in case of an incident or disaster. Verify and enhance training according to the results of the contingency tests. DS4.7 Distribution of the IT continuity plan—Determine that a defined and managed distribution strategy exists to ensure that plans are properly and securely distributed and available to appropriately authorized interested parties, when and where needed. Attention should be paid to making the plans accessible under all disaster scenarios. DS4.8 IT services recovery and resumption—Plan the actions to be taken for the period when IT is recovering and resuming services. This may include activation of backup sites, initiation of alternative processing, customer and stakeholder communication, and resumption procedures. Ensure that the business understands IT recovery times and the necessary technology investments to support business recovery and resumption needs. DS4.9. Offsite backup storage—Store offsite all critical backup media, documentation and other IT resources necessary for IT recovery and business continuity plans. Determine the content of backup storage in collaboration with business process owners and IT personnel. Management of the offsite storage facility should respond to the data classification policy and the enterprise’s media storage practices. IT management should ensure that offsite arrangements are periodically assessed, at least annually, for content, environmental protection and security. Ensure compatibility of hardware and software to restore archived data, and periodically test and refresh archived data. DS4.10 Post-resumption review—Determine whether IT management has established procedures for assessing the adequacy of the plan in regard to the successful resumption of the IT function after a disaster, and update the plan accordingly.
Refer to the IT Governance Institute’s COBIT Control Practices: Guidance to Achieve Control Objectives for Successful IT Governance, 2nd Edition, published in 2007, for the related control practice value and risk drivers.
© 2009 ISACA. All rights reserved. Page 10
IT Continuity Planning Audit/Assurance Program
V. Executive Summary of Audit/Assurance Focus IT Continuity Planning IT continuity planning is the process that ensures continuous operations of business applications and supporting IT systems (i.e., desktops, printers, network devices). IT continuity planning is a subset of enterprise business continuity planning. A business continuity plan is an enterprisewide group of processes and instructions to ensure the continuation of business processes in the event of an interruption. It provides the plans for the enterprise to recover from minor incidents (e.g., localized disruptions of business components) to major disruptions (e.g., fire, natural disasters, extended power failures, equipment and/or telecommunications failure). The plan is usually owned and managed by the business units and a disaster management or risk prevention function in the enterprise. The IT continuity plan addresses the IT exposures and solutions based on the priorities and framework of the business continuity plan. The role of the IT audit/assurance function is to address IT continuity risks. The business continuity plan should be evaluated for any guidance addressing its framework, priorities, responsibilities and objectives. The IT continuity plan must be aligned with the business continuity plan to ensure that: • Risks are appropriately identified and evaluated by focusing on impact on business processes for known and potential risks • The costs of implementing and managing continuity assurance are less than the expected losses and within management’s risk tolerance • The business priorities are addressed (critical applications, interim processes, restoration activities and mandated deadlines) • Manual interfaces to automated processes are identified, personnel are trained, and practice drills are conducted • Expectations are managed with realistic goals
Business Impact and Risk Business reliance on automated solutions is tightly woven within the DNA of the enterprise. Applications, whether developed or acquired, are the operational backbone of a business. The risks and potential impacts to the enterprise for failure to establish a good-practice IT continuity plan and align it with the business continuity plan include enterprise inability to conduct normal business functions after a disruption due to: • Failure of plans to reflect changes to business needs, applications portfolio or technology • Inadequate planning and consideration of significant enterprise risk • Failure to plan for or inability to assess the situation and implement alternate processes to fit unforeseen situation • Inappropriate or incomplete recovery plans and processes, resulting in delayed restoration of processing • Incomplete or untested interim processing and logistics plans • Inadequate training and/or staff not prepared to execute the plan effectively and quickly • Inadequate or unavailable staffing resources to restore processes on a timely basis • Lack of plan change control, resulting in out-of-date restoration processes • Unavailability of backup data and media due to missing documentation in offsite storage, accidental destruction of backup data, inability to locate media when needed, or inability to transport data within the prescribed time frame • Regulatory violations resulting in fines or censure • Reputational risk resulting in loss of customer confidence • Increased costs for continuity management due to ineffective focus on risks and costs or failure to prioritize services recovery based on business need • Lack of development of realistic threat scenarios that may potentially disrupt business processes
© 2009 ISACA. All rights reserved. Page 11
IT Continuity Planning Audit/Assurance Program •
Lack of consideration of all possible threat scenarios based upon potential circumstances and events
Objective and Scope Objective—The IT continuity planning audit/assurance review will: • Provide management with an evaluation of the IT function’s preparedness in the event of a process disruption • Identify issues that may limit interim business processing and restoration of same • Provide management with an independent assessment relating to the effectiveness of the IT continuity plan and its alignment with the business continuity plan and IT security policy Scope—The review will focus on the IT continuity plan and its alignment with the enterprise business continuity plan, policies, standards, guidelines, procedures, laws and regulations that addresses maintaining continuous IT services. This will address: • Development, maintenance and testing of the IT continuity plan • Ability to provide interim IT services and the restoration of same • Risk management and costs related to the IT continuity plan The review relies on the existence of a business continuity plan. Policy, standards and guidelines related to and implementation of the business continuity plan are outside the scope of this review.
Minimum Audit Skills The IT audit and assurance professional should have an understanding of the good-practice systems development business continuity and disaster recovery processes and requirements. Professionals holding CISA certification should have these skills.
© 2009 ISACA. All rights reserved. Page 12
IT Continuity Planning Audit/Assurance Program
VI. Audit/Assurance Program
1. PLANNING AND SCOPING THE AUDIT 1.1 Define audit/assurance objectives. The audit/assurance objectives are high level and describe the overall audit goals. 1.1.1 Review the audit/assurance objectives in the introduction to this audit/assurance program. 1.1.2 Modify the audit/assurance objectives to align with the audit/assurance universe, annual plan and charter. 1.2 Define boundaries of review. The review must have a defined scope. The reviewer should understand the operating environment and prepare a proposed scope, subject to a later risk assessment. 1.2.1 Obtain and review the business continuity and IT continuity policies. 1.2.2 Obtain and review the BCP and the ITCP. 1.2.3 Determine the entities, processes and systems addressed in the BCP and ITCP. 1.2.4 Establish initial boundaries of the audit/assurance review. 1.2.5 Obtain and review any previous audit reports with remediation plans. Identify open issues and assess updates of documents with respect to these issues. 1.2.6 Identify limitations and/or constraints affecting the audit of specific systems.
© 2009 ISACA. All rights reserved. Page 13
Monitoring
Information and Communication
Control Activities
Crossreference
Risk Assessment
COBIT Audit/Assurance Program Step
Control Environment
COSO Reference Hyperlink
Issue Crossreference
Comments
IT Continuity Planning Audit/Assurance Program
1.3 Define assurance. The review requires two sources of standards. The corporate standards defined in the policy and procedure documentation establish the corporate expectations. At minimum, corporate standards should be implemented. The second source, a good-practice reference, establishes industry standards. Enhancements should be proposed to address gaps between the two. 1.3.1 Review the business continuity policy and standards. 1.3.2 Determine if COBIT and the appropriate business continuity framework will be used as a good-practice reference. 1.3.3 Determine if there are gaps in the policy. 1.4 Identify and document risks. The risk assessment is necessary to evaluate where audit resources should be focused. In most enterprises, audit resources are not available for all processes. The risk-based approach assures utilization of audit resources in the most effective manner. 1.4.1 Identify the business risk associated with the BCP and ITCP. 1.4.2 Obtain and review the business impact analysis (BIA) document. 1.4.3 Review previous audits of BCP and ITCP and other assessments. 1.4.4 Determine if issues identified previously have been remediated. 1.4.5 Evaluate the overall risk factor for performing the review. 1.4.6 Based on the risk assessment, identify changes to the scope. 1.4.7 Discuss the risks with IT, business and operational audit management, and adjust the risk assessment. 1.4.8 Based on the risk assessment, revise the scope.
© 2009 ISACA. All rights reserved. Page 14
Monitoring
Information and Communication
Control Activities
Crossreference
Risk Assessment
COBIT Audit/Assurance Program Step
Control Environment
COSO Reference Hyperlink
Issue Crossreference
Comments
IT Continuity Planning Audit/Assurance Program
1.5 Define the change process. The initial audit approach is based on the reviewer’s understanding of the operating environment and associated risks. As further research and analysis are performed, changes to the scope and approach will result. 1.5.1 Identify the senior IT assurance resource responsible for the review. 1.5.2 Establish the process for suggesting and implementing changes to the audit/assurance program, and the authorizations required. 1.6 Define assignment success. The success factors need to be identified. Communication among the IT audit/assurance team, other assurance teams and the enterprise is essential. 1.6.1 Identify the drivers for a successful review (this should exist in the assurance function’s standards and procedures). 1.6.2 Communicate success attributes to the process owner or stakeholder and obtain agreement. 1.7 Define audit/assurance resources required. The resources required are defined in the introduction to this audit/assurance program. 1.7.1 Determine the audit/assurance skills necessary for the review. 1.7.2 Estimate the total resources (hours) and time frame (start and end dates) required for the review. 1.8 Define deliverables. The deliverable is not limited to the final report. Communication between the audit/assurance teams and the process owner is essential to assignment success. 1.8.1 Determine the interim deliverables, including initial findings, status reports, draft reports, due dates for responses or meetings, and the final report.
© 2009 ISACA. All rights reserved. Page 15
Monitoring
Information and Communication
Control Activities
Crossreference
Risk Assessment
COBIT Audit/Assurance Program Step
Control Environment
COSO Reference Hyperlink
Issue Crossreference
Comments
IT Continuity Planning Audit/Assurance Program
1.9 Communications The audit/assurance process must be clearly communicated to the customer/client. 1.9.1 Conduct an opening conference to discuss the review objectives with the BCP committee, IT management and key user management directly responsible for the business recovery planning effort. The scope of this program should include the following areas: • Business assessment • Recovery strategy • Plan development • Communications recovery (voice and data) • Hardware/software • Facilities recovery • Staff recovery • Plan maintenance • Plan testing
© 2009 ISACA. All rights reserved. Page 16
Monitoring
Information and Communication
Control Activities
Crossreference
Risk Assessment
COBIT Audit/Assurance Program Step
Control Environment
COSO Reference Hyperlink
Issue Crossreference
Comments
IT Continuity Planning Audit/Assurance Program
X
X
X
X
Monitoring
Information and Communication
X
Control Activities
DS4.1 DS4.2
COBIT Audit/Assurance Program Step
Risk Assessment
Crossreference
Control Environment
COSO
2. CONTINUITY FRAMEWORK AND POLICY 2.1 IT continuity framework Audit/assurance objective: A framework for IT continuity to support enterprisewide business continuity management using a consistent process should be developed. The business continuity effort should be sponsored by the management of the business units or a business continuity task force. The framework should address the organizational structure for continuity management, covering the roles, tasks and responsibilities of internal and external service providers, their management and their customers, and the planning processes that create the rules and structures to document, test and execute the disaster recovery and IT contingency plans. The plan should also address items such as the identification of critical resources, noting key dependencies; the monitoring and reporting of the availability of critical resources; alternative processing; and the principles of backup and recovery. 2.1.1 Organization and governance Control: The business has established a business continuity task force/ committee/organization to establish and maintain a business continuity process. 2.1.1.1 Determine if the enterprise has a BCP project plan or program, and indicate the date of acceptance and/or review. 2.1.1.2 Determine if a budget for BCP and its components are included in the enterprise’s budget. 2.1.1.3 Determine if the BCP team member roles and responsibilities have been assigned at an appropriate level of authority to carry out responsibilities, and the team has appropriate executive sponsors. 2.1.2 Participation Control: The business continuity function includes representatives from affected business areas and IT, and the responsibility for the business continuity function is assigned to business operations and not IT.
DS4.3
2.1.2.1 Determine if the members of the BCP team are representatives from the affected organizations. © 2009 ISACA. All rights reserved. Page 17
X
Reference Hyperlink
Issue Crossreference
Comments
IT Continuity Planning Audit/Assurance Program
X
DS4.1
X
X
X
PO4.8 DS4.1 DS4.2
X
X
X
2.1.2.3 Determine if the responsibility for the BCP process reports is assigned to an executive at a senior level in the enterprise to receive adequate support and resources. 2.1.3 Mission statement Control: The mission statement and goals of the BCP team are in alignment with the enterprise’s policies addressing business continuity.
X
2.1.3.1 Review the BCP policy and mission statements to ensure that they are in alignment. 2.1.4 Risk-focused BCP Control: The BCP utilizes risk analysis to determine the strategy and recovery plans. 2.1.4.1 Determine if the framework requires reliance on risk assessments and BIA to determine critical resource requirements, alternative processing strategies and recovery. 3. BUSINESS ASSESSMENT OF CONTINGENCY PLANNING REQUIREMENTS 3.1 Business assessment Audit/assurance objective: The business recovery needs and the drivers for the development of an ITCP plan should be identified. 3.1.1 Risk assessment Control: Risk assessment and BIA methods are utilized to establish business interruption exposures, their probability and impact, and remediation alternatives. 3.1.1.1 Determine if a risk assessment has been performed that identifies business and operational exposures, including both physical (floods, hurricanes, power failures) and operational (failures caused by error or facilities interruptions) exposures. © 2009 ISACA. All rights reserved. Page 18
Monitoring
DS4.1
2.1.2.2 Determine if the leadership and sponsorship of the BCP is assigned to the business, and is not driven by IT.
Information and Communication
Control Environment
Control Activities
Crossreference
COBIT Audit/Assurance Program Step
Risk Assessment
COSO Reference Hyperlink
Issue Crossreference
Comments
IT Continuity Planning Audit/Assurance Program
3.1.1.2 Determine if the BIA has identified all of the critical and necessary business functions and their resource dependencies. 3.1.1.3 Determine if a BIA to assess potential business losses from any event that interrupts a major business process has been conducted and documented. The BIA should document an enterprises’s business processes, their criticality and recovery time objectives, and the resources needed to recover them. 3.1.1.4 Determine if the risk assessment is extended to include physical (loss of processing facilities—owned, leased or outsourced) and logical (communications failure, denial-of-service attacks, viruses, systems development and vendor failure, etc.) IT risks. 3.1.1.5 Review the BIA and determine if it includes an estimate of the financial, operational and regulatory/compliance exposures and impact of a disruption. 3.1.1.6 Review the risk assessment and determine if it documents the mitigating steps that are in place to address these threats. 3.1.2 Recovery point objectives Control: Recovery point objectives (RPOs) have been established to provide guidelines for the time required to restore or provide interim services.
DS4.2
3.1.2.1 Determine if recovery time objectives (RTOs) have been assigned to all critical business process components. The RTO is the amount of time allowed for the recovery of a business function. 3.1.2.2 Review and determine if RPOs that address the amount of data that is allowed to be lost during recovery have been established for the major applications and whether the RPOs appear to be reasonable.
© 2009 ISACA. All rights reserved. Page 19
X
Monitoring
Information and Communication
Control Activities
Crossreference
Risk Assessment
COBIT Audit/Assurance Program Step
Control Environment
COSO Reference Hyperlink
Issue Crossreference
Comments
IT Continuity Planning Audit/Assurance Program
Information and Communication
Monitoring
X
Control Activities
DS4.1 DS4.2
COBIT Audit/Assurance Program Step
Risk Assessment
Crossreference
Control Environment
COSO
X
X
4. INTEGRATION OF BUSINESS CONTINUITY AND IT CONTINUITY PLANS 4.1 BCP development Audit/assurance objective: An ITCP should be established to reflect the BCP. 4.1.1 Alignment of BCP and ITCP Control: The ITCP is aligned with and supports the business continuity plan.
X
4.1.1.1 Determine if the establishment of an ITCP is a subset of BCP and supports the BCP. 4.1.1.2 Determine the enterprise’s BCP environmental components addressed (facility, power, staff, etc.) that allow the business to function. 5. IT CONTINUITY PLAN 5.1 ITCP development Audit /assurance objective: The ITCP should be complete and should address the business continuity requirements defined in the BCP. 5.1.1 Communications Control: The communications components necessary to provide network access to the computing facilities are included in the ITCP.
DS4.2 DS4.3 DS4.8
5.1.1.1 Confirm the existence of a network diagram by obtaining the most recent copy, noting the date. 5.1.1.2 Confirm with the communications department the accuracy and completeness of the network diagram. 5.1.1.3 Confirm the existence of a network circuit inventory by obtaining a copy, noting the date. 5.1.1.4 Confirm that the circuit inventory contains information regarding: • Voice and data lines • Configuration © 2009 ISACA. All rights reserved. Page 20
X
Reference Hyperlink
Issue Crossreference
Comments
IT Continuity Planning Audit/Assurance Program
• • • • • • • • • • •
Circuit number Origination and termination Line speed Line type (leased, copper T1, fiber T3, dial-up, etc.) Primary use (data or voice) Carrier Vendor identification and information Switching equipment (onsite and offsite) Fail-over arrangements Critical applications supported If the primary use is for both data and voice, determining the estimated percentage of each by interviewing the communications department personnel
5.1.1.5 In reviewing the communications section of the plan, note the existence of a list of primary and alternate members of the communications recovery team. Verify the accuracy of the list by: • Confirming that team members are actively employed by the company • Obtaining an organization chart for the communications department or IT department and confirming that each team member is listed on the chart • Confirming with team members: – Awareness of their responsibilities – Information such as phone numbers and work location as referenced in the notification procedures 5.1.1.6 Determine what arrangements have been made to recover the communications environment and ascertain that they have been reviewed and approved by an appropriate level of senior management. To do so: • Review the facilities strategy (hot site, cold site, etc.) and determine if there are provisions in the strategy for © 2009 ISACA. All rights reserved. Page 21
Monitoring
Information and Communication
Control Activities
Crossreference
Risk Assessment
COBIT Audit/Assurance Program Step
Control Environment
COSO Reference Hyperlink
Issue Crossreference
Comments
IT Continuity Planning Audit/Assurance Program
• • • •
communications equipment. If a contract exists for an offsite location, determine if it includes commitments for network support. Review contracts with communications vendors and determine their commitment to restoring network switching capabilities. If an onsite telephone system is installed, confirm the existence of alternate outside phone lines for backup. If no onsite telephone system exists, determine what arrangements have been made to move key employees whose primary duties require the use of a telephone to an alternate site.
5.1.1.7 Confirm that an inventory list exists for telecommunications equipment required by the critical applications by obtaining a copy for the documentation. 5.1.1.8 Obtain an organization chart of the network administration department, and verify that the employees listed in the employee and vendor contact list are on the chart and the information on the list is accurate. Note: This information may already be included in the hardware requirements inventory of this audit program. If it is, then indicate so by referencing that section. 5.1.1.9 Review the communications recovery action steps contained in the business recovery plan. Note any discrepancies. 5.1.2 Hardware Control: The hardware configuration and procurement plans provide for the ability to acquire and configure hardware within the interim period established in the BCP.
DS4.2 DS4.3 DS4.8
5.1.2.1 Confirm that an inventory of current hardware exists by obtaining a copy, noting the date. 5.1.2.2 For each device, the inventory should include: • Vendor © 2009 ISACA. All rights reserved. Page 22
X
Monitoring
Information and Communication
Control Activities
Crossreference
Risk Assessment
COBIT Audit/Assurance Program Step
Control Environment
COSO Reference Hyperlink
Issue Crossreference
Comments
IT Continuity Planning Audit/Assurance Program
• • • • • • •
Model number Serial number Location Brief description of equipment (e.g., central processing unit, modem, firewall, tape drive) Original purchase cost Monthly lease amount Purchase date
5.1.2.3 Confirm the existence of an adequate hardware requirements inventory list for critical applications by obtaining a copy and reviewing it for the types of items listed previously. 5.1.2.4 If a contract exists for an offsite location, obtain a copy of the scheduled equipment and compare it with the current inventory. Confirm with IT management that the hardware is adequate and compatible to meet the recovery requirements. 5.1.2.5 Determine what arrangements have been made to obtain hardware not previously subscribed to or leased ahead of time. 5.1.2.6 Confirm that there is a current hardware configuration layout by obtaining a copy and noting the date. The layout should show the physical location of each hardware device. 5.1.3 Software critical systems and applications Control: The critical applications and supporting platforms have been identified, and the required software and data are available for interim processing and restoration, and are in alignment with the BCP.
PO4.2 DS4.2 DS4.3 DS4.4
5.1.3.1 Confirm that a list of all critical applications exists by obtaining a copy. This list should identify: • The prioritization of applications to be recovered • The system (server, mainframe, etc.) on which each application is loaded and running, and the physical location of that system © 2009 ISACA. All rights reserved. Page 23
X
Monitoring
Information and Communication
Control Activities
Crossreference
Risk Assessment
COBIT Audit/Assurance Program Step
Control Environment
COSO Reference Hyperlink
Issue Crossreference
Comments
IT Continuity Planning Audit/Assurance Program
5.1.3.2 Compare the list of all critical applications to the recovery plan to determine if a recovery strategy exists for each critical application. 5.1.3.3 Compare the list of all critical applications to the hardware inventory in the recovery plans to ensure that each critical application will have the necessary hardware resources available. 5.1.3.4 Confirm that a recovery job schedule exists that shows the recovery sequence of the critical applications. Obtain copies for the documentation. 5.1.3.5 Determine how often the critical applications list is reviewed and updated. If the list has not been updated within the last three months, verify its accuracy with the operations manager and key users of the applications listed. 5.1.3.6 Confirm that a list exists of all users for each application identified on the critical applications list. This list should also indicate which skills the users would need in a recovery effort. 5.1.3.7 Confirm the existence of a list that identifies the systems software with the following descriptions: • Operating system • Release, version level, service pack level, etc. • Serial number (if any) • Platform (server or mainframe) • Software controls Verify the accuracy of this list with IT management. 5.1.3.8 Confirm the existence of an employee and vendor contact list for each systems software version/release identified in the previous step. This contact list should include: • Primary contact name • Work location (address and room number) • Office phone number © 2009 ISACA. All rights reserved. Page 24
Monitoring
Information and Communication
Control Activities
Crossreference
Risk Assessment
COBIT Audit/Assurance Program Step
Control Environment
COSO Reference Hyperlink
Issue Crossreference
Comments
IT Continuity Planning Audit/Assurance Program
• • • • • •
Home phone number Pager number Alternate contact name Work location (address and room number) Office phone number Home phone number
Verify this information with IT management. 5.1.3.9 Obtain an organization chart of the systems programming department, and verify that the employees listed in the employee and vendor contact list are on the chart and the information on the list is accurate. 5.1.4 Data recovery Control: Data recovery procedures have been established and tested to ensure availability of data.
DS4.2 DS4.8
5.1.4.1 Determine if adequate generations of key data and operating systems are maintained at the offsite location. 5.1.4.2 Determine if data and operating system restore procedures are routinely tested. 5.1.4.3 Determine if the backup process includes the workstations that are the user interface to the applications. 5.1.4.4 Determine if the restoration media can physically restore the data within the prescribed time frame (consider interdependencies of interfacing software). 5.1.4.5 Determine if alternate plans exist in the event that air service is suspended or unavailable. 5.1.4.6 Determine if data backup is available and can be transported to the interim processing site within the time frame established in the BCP. © 2009 ISACA. All rights reserved. Page 25
X
Monitoring
Information and Communication
Control Activities
Crossreference
Risk Assessment
COBIT Audit/Assurance Program Step
Control Environment
COSO Reference Hyperlink
Issue Crossreference
Comments
IT Continuity Planning Audit/Assurance Program
5.1.4.7 Determine if procedures to address the recovery of data lost between the last backup and the time of disaster have been developed and documented. 5.1.5 Facilities recovery Control: Appropriate facilities have been identified and plans are in place to support the interim processing and restoration of computer operations according to the priorities established in the BCP.
DS4.2 DS4.3 DS4.8 DS4.9
X
PO7.2 PO7.3 DS4.2 DS4.3 DS4.8
X
5.1.5.1 Ensure that the amount of square footage needed for operations has been analyzed and documented. 5.1.5.2 Determine if all of the possible in-house and outside solutions for recovery space have been considered in the development of the plan. 5.1.5.3 Verify that the plan addresses redundant electrical power requirements for recovery (uninterruptible power sources [UPSs], backup generators). 5.1.6 Staff recovery Control: Staff responsibilities, notification, substitution, and access procedures are in place to permit the timely assembly of staff and the commencement of interim and/or restoration procedures. 5.1.6.1 Verify that the plan clearly documents the organizational structure of the recovery teams and effectively communicates the responsibilities of the team members (response and recovery). 5.1.6.2 Determine if the plan has a procedure for contacting and accounting for all staff members after a disaster. 5.1.6.3 Determine if the plan contains procedures for recruiting temporary staff from other locations or organizations if primary staff members are not available.
© 2009 ISACA. All rights reserved. Page 26
Monitoring
Information and Communication
Control Activities
Crossreference
Risk Assessment
COBIT Audit/Assurance Program Step
Control Environment
COSO Reference Hyperlink
Issue Crossreference
Comments
IT Continuity Planning Audit/Assurance Program
5.1.6.4 Verify that the plan has provisions for offsite personnel to gain access to critical passwords, deal with vendors and release backup media in the event that onsite personnel are unavailable. 5.1.6.5 Determine if temporary housing and transportation have been included in the staff recovery plan. 5.1.7 Plan details Control: The recovery plan contains adequate details to permit noncorporate IT professionals to implement the recovery plan if staff members are not available. The plan also provides for damage assessment, thresholds and formal decision points for plan activation.
DS4.1 DS4.2 DS4.3 DS4.7
5.1.7.1 Determine if recovery procedures are sufficiently detailed so that noncorporate personnel can carry out recovery tasks. Procedures should include details of the following: • IT environment overview (interfaces and functionality) • Recovery overview • Recovery prerequisites (minimum hardware requirements, systems, manuals, firewall configurations, passwords) • Damage assessment • Recovery steps (physical, network, operating system, application, database) • Postrecovery verification processes • Procedures for maintaining service in recovery mode • Procedures for transition to a primary recovery site • Procedures for restoration to a permanent site • Means for notifying relevant personnel of telecommunications, power and platform outages • Arrangements for the immediate deployment of technical personnel in the event that primary personnel are not available 5.1.7.2 Determine if there are damage assessment steps with formal decision points and thresholds to activate the plan, and ascertain that the response is commensurate with the impact of the incident. © 2009 ISACA. All rights reserved. Page 27
X
Monitoring
Information and Communication
Control Activities
Crossreference
Risk Assessment
COBIT Audit/Assurance Program Step
Control Environment
COSO Reference Hyperlink
Issue Crossreference
Comments
IT Continuity Planning Audit/Assurance Program
Control Activities
Information and Communication
Monitoring
X
X
X
DS4.7
X
Crossreference
5.1.8 Third-party vendors Control: Third-party vendors who execute business processes are included in the ITCP or a separate vendor-specific ITCP, and both approaches subscribe to the same policies, standards, guidelines and procedures as internally executed processes.
Control Environment
DS4.2
COBIT Audit/Assurance Program Step
Risk Assessment
COSO
5.1.8.1 Determine if vendor contracts include IT continuity/business recovery requirements. 5.1.8.2 Determine if vendor processors are included in the enterprise’s ITCP or in a vendor-specific ITCP document or agreement. 5.1.8.3 Determine if the third-party recovery plan subscribes to the same policies, standards and guidelines for risk assessment, hardware and software recovery, staffing recovery, data recovery, and facilities recovery. 5.1.8.4 Determine if third-party agreements include service level agreements (SLAs) for interim and restoration of services. 5.1.8.5 Determine if the vendor-specific ITCP is regularly tested. 5.1.8.6 Based on the test results, evaluate the effectiveness of the vendor ITCP. 5.1.9 Plan distribution Control: The plan is distributed on a need-to-know basis, is securely stored in soft and hard copy, and can be obtained from multiple locations in the event that the primary storage location has been affected by the incident. 5.1.9.1 Determine who is on the distribution list and if the distribution list is appropriate and accurate. 5.1.9.2 Determine where the plan is stored and if it is accessible under various damage scenarios. 5.1.9.3 Determine if the backup sites are an appropriate balance between availability and redundancy. © 2009 ISACA. All rights reserved. Page 28
Reference Hyperlink
Issue Crossreference
Comments
IT Continuity Planning Audit/Assurance Program
5.2 ITCP maintenance Audit/assurance objective: The ITCP should be maintained to reflect systems and applications changes as well as modifications to the BCP, which impacts the ITCP. 5.2.1 Plan maintenance Control: The plan is maintained through inclusion in the systems development methodology, routine review of plan components and linkage to BCP reviews and enhancements.
DS4.1 DS4.2 DS4.3 DS4.4
X
DS4.1 DS4.2 DS4.3 DS4.4
X
DS4.5
X
5.2.1.1 Determine who is responsible for maintaining the plan, and review the maintenance and revision procedures. 5.2.2 Plan review Control: The ITCP is reviewed as part of all applications and systems enhancements. 5.2.2.1 Determine if the plan is routinely reviewed and approved by an appropriate level of senior management. 5.2.2.2 Identify what triggers the maintenance of the plan, and determine if these instances are adequate to keep the plan up to date. 5.3 Plan testing Audit/assurance objective: The plan should be tested regularly and the tests should include a comprehensive verification of continuity processes and situational drills to test the assumptions and alternate procedures within the plan. 5.3.1 Plan stress testing Control: The ITCP tests utilize situational drills where resources are not available for the test, or the circumstances of the test are modified unannounced to verify the recovery team’s ability to adapt to unplanned situations. 5.3.1.1 Verify that the tests include unannounced situations to stress test the recovery plan's assumptions and the staff’s ability to react to unplanned events. © 2009 ISACA. All rights reserved. Page 29
Monitoring
Information and Communication
Control Activities
Crossreference
Risk Assessment
COBIT Audit/Assurance Program Step
Control Environment
COSO Reference Hyperlink
Issue Crossreference
Comments
IT Continuity Planning Audit/Assurance Program
5.3.2 Analysis of test results Control: The results from the plan tests are analyzed to identify issues that require BCP revision, additional training or additional resources.
DS4.5
X
DS4.5
X
DS4.5
X
5.3.2.1 Verify that changes to recovery plans have been made as a result of testing and lessons learned. 5.3.2.2 Determine if the results have been communicated to management. 5.3.3 Testing of recovery service levels Control: Plan testing includes verification that the tests were completed within the intervals established in the BCP. 5.3.3.1 Determine if test results are compared against test criteria (RTOs, RPOs, etc.). 5.3.4 Test frequency Control: The ITCP is tested routinely, according to the policy, and the tests address the requirements within the BCP. 5.3.4.1 Verify that the recovery plans are tested periodically. 5.3.4.2 Review the test criteria to determine if they will appropriately test the plan against the requirements identified in the BIA.
© 2009 ISACA. All rights reserved. Page 30
Monitoring
Information and Communication
Control Activities
Crossreference
Risk Assessment
COBIT Audit/Assurance Program Step
Control Environment
COSO Reference Hyperlink
Issue Crossreference
Comments
IT Continuity Planning Audit/Assurance Program
VII. Maturity Assessment The maturity assessment is an opportunity for the reviewer to assess the maturity of the processes reviewed. Based on the results of audit/assurance review, and the reviewer’s observations, assign a maturity level to each of the following COBIT control practices. Target Assessed Maturity Maturity
COBIT Control Practice DS4.1 IT Continuity Framework 1. Assign responsibility for and establish an enterprisewide business continuity management process. This process should include an IT continuity framework to ensure that a business impact analysis (BIA) is completed and IT continuity plans support business strategy, a prioritized recovery strategy, necessary operational support based on these strategies and any compliance requirements. 2. Ensure that the continuity framework includes: • The conditions and responsibilities for activating and/or escalating the plan • Prioritized recovery strategy, including the necessary sequence of activities • Minimum recovery requirements to maintain adequate business operations and service levels with diminished resources • Emergency procedures • Fallback procedures • Temporary operational procedures • IT processing resumption procedures • Maintenance and test schedule • Awareness, education and training activities • Responsibilities of individuals • Regulatory requirements • Critical assets and resources and up-to-date personnel contact information needed to perform emergency, fallback and resumption procedures • Alternative processing facilities as determined within the plan • Alternative suppliers for critical resources • Chain of communications plan • Key resources identified 3. Ensure that the IT continuity framework addresses: • Organizational structure for IT continuity management as a liaison to organizational continuity management • Roles, tasks and responsibilities defined by SLAs and/or contracts for internal and external service providers • Documentation standards and change management procedures for all IT continuity-related
© 2009 ISACA. All rights reserved. Page 31
Reference Hyperlink
Comments
IT Continuity Planning Audit/Assurance Program
Target Assessed Maturity Maturity
COBIT Control Practice procedures and tests • Policies for conducting regular tests • The frequency and conditions (triggers) for updating the IT continuity plans • The results of the risk assessment process (PO9) DS4.2 IT Continuity Plans 1. Create an IT continuity plan, including: • The conditions and responsibilities for activating and/or escalating the plan • Prioritized recovery strategy, including the necessary sequence of activities • Minimum recovery requirements to maintain adequate business operations and service levels with diminished resources • Emergency procedures • Fallback procedures • Temporary operational procedures • IT processing resumption procedures • Maintenance and test schedule • Awareness, education and training activities • Responsibilities of individuals • Regulatory requirements • Critical assets and resources and up-to-date personnel contact information needed to perform emergency, fallback and resumption procedures • Alternative processing facilities as determined within the plan • Alternative suppliers for critical resources 2. Define underlying assumptions (e.g., level of outage covered by the plan) in the IT continuity plan and which systems (i.e., computer systems, network components and other IT infrastructure) and sites are to be included. Note alternative processing options for each site. 3. Ensure that the IT continuity plan includes a defined checklist of recovery events as well as a form for event logging. 4. Establish and maintain detailed information for every recovery site, including assigned staff and logistics (e.g., transport of media to the recovery site). This information should include: • Processing requirements for each site • Location • Resources (e.g., systems, staff, support) available at each location • Utility companies on which the site depends 5. Define response and recovery team structures, including reporting requirements roles and responsibilities as well as knowledge, skills and experience requirements for all team members. Include contact details of all team members, and ensure that that they are maintained and readily available (e.g., offsite team, backup managing team).
© 2009 ISACA. All rights reserved. Page 32
Reference Hyperlink
Comments
IT Continuity Planning Audit/Assurance Program
Target Assessed Maturity Maturity
COBIT Control Practice 6. Define and prioritize communication processes and define responsibility for communication (e.g., public, press, government). Maintain contact details of relevant stakeholders (e.g., crisis management team, IT recovery staff, business stakeholders, staff), service providers (e.g., vendors, telecommunications provider) and external parties (e.g., business partners, media, government bodies, public). 7. Maintain procedures to protect and restore the affected part of the organization, including, where necessary, reconstruction of the affected site or its replacement. This also includes procedures to respond to further disasters while in the backup site. 8. Create emergency procedures to ensure the safety of all affected parties, including coverage of occupational health and safety requirements (e.g., counseling services) and coordination with public authorities. DS4.3 Critical IT Resources 1. Define priorities for all applications, systems and sites that are in line with business objectives. Include these priorities in the continuity plan. When defining priorities, consider: • Business risk and IT operational risk • Interdependencies • The data classification framework • SLAs and operating level agreements (OLAs) • Costs 2. Consider resilience, response and recovery requirements for different tiers, e.g., one to four hours, four to 24 hours, more than 24 hours and critical business operational periods. DS4.4 Maintenance of the IT Continuity Plan 1. Maintain a change history of the IT continuity plan. Ensure proper version management of the plan, e.g., through the use of document management systems. Ensure that all distributed copies are the same version. 2. Involve the business continuity and IT continuity manager(s) in the change management processes to ensure awareness of important changes that would require updates to the IT continuity plans. 3. Update the IT continuity plan as described by the IT continuity framework. Triggering events for the update of the plan include: • Important architecture changes • Important business changes • Key staff changes or organization changes • Incidents/disasters and the lessons learned • Results from continuity plan tests
© 2009 ISACA. All rights reserved. Page 33
Reference Hyperlink
Comments
IT Continuity Planning Audit/Assurance Program
Target Assessed Maturity Maturity
COBIT Control Practice DS4.5 Testing of the IT Continuity Plan 1. Schedule IT continuity tests on a regular basis or after major changes in the IT infrastructure or to the business and related applications. Ensure that all new components (e.g., hardware, software updates, new business processes) are included in the schedule. 2. Create a detailed test schedule based on established recovery priorities. Ensure that test scenarios are realistic. Tests should include recovery of critical business application processing and should not be limited to recovery of infrastructure. Make sure that testing time is adequate and will not impact the ongoing business. 3. Establish an independent test task force that keeps track of all events and records all results to be discussed in the debriefing. The members of the task force should not be key personnel defined in the plan. This task force should independently report to senior management and/or the board of directors. 4. Perform a debriefing event wherein all failures are analyzed and solutions are developed or handed over to task forces. Ensure that all outstanding issues related to continuity planning are analyzed and resolved in an appropriate time frame. Schedule a retesting of the changes using similar or stronger parameters to ensure a positive impact on the recovery procedures. 5. If testing is not feasible, evaluate alternative means for ensuring resources for business continuity (e.g., dry run). 6. Measure and report the success or failure of the test and, therefore, the continuity and contingency ability for services to the risk management process (PO9). DS4.6 IT Continuity Plan Training 1. On a regular basis (at least annually) or upon plan changes, provide training to the required staff members with respect to their roles and responsibilities. 2. Assess all needs for training periodically and update all schedules appropriately. While planning the training, take into account the timing and the extent of plan updates and changes, turnover of recovery staff, and recent test results. 3. Perform regular IT continuity awareness programs for all level of employees as well as IT stakeholders to increase awareness of the need for an IT continuity strategy and their key role within it. 4. Measure and document training attendance, training results and coverage.
© 2009 ISACA. All rights reserved. Page 34
Reference Hyperlink
Comments
IT Continuity Planning Audit/Assurance Program
Target Assessed Maturity Maturity
COBIT Control Practice DS4.7 Distribution of the IT Continuity Plan 1. Define a proper distribution list for the IT continuity plan and keep this list up to date. Include people and locations in the list on a need-to-know basis. Ensure that procedures exist with instructions for storage of confidential information. 2. Define a distribution process that: • Distributes the IT continuity plan in a timely manner to all recipients and locations on the distribution list • Collects and destroys obsolete copies of the plan in line with the organization’s policy for discarding confidential information 3. Ensure that all digital and physical copies of the plan are protected in an appropriate manner (e.g., encryption, password protection) and the document is accessible only by authorized personnel (recovery staff). DS4.8 IT Services Recovery and Resumption 1. Activate the IT continuity plan when conditions require it. 2. Maintain an activity and problem log during recovery activities to be used during postresumption review. DS4.9 Offsite Backup Storage 1. Provide protection for data commensurate with the value and security classification, from the time they are taken offsite, while in transport to/from the organization and at the storage location. 2. Ensure that the backup facilities are not subject to the same risks (e.g., geography, weather, key service provider) as the primary site. 3. Perform regular testing of: • The quality of the backups and media • The ability to meet the committed recovery time frame 4. Ensure that the backups contain all data, programs and associated resources needed for recovery according to plan. 5. Provide sufficient recovery instructions and adequate labeling of backup media. 6. Maintain an inventory of all backups and backup media. Ensure inclusion of all departmental processing, if applicable. DS4.10 Post-resumption Review 1. Using the problem and activity log of recovery activities, identify the shortcomings of the plan after re-establishing normal processing, and agree on opportunities for improvement to include in the next update of the IT continuity plan.
© 2009 ISACA. All rights reserved. Page 35
Reference Hyperlink
Comments
IT Continuity Planning Audit/Assurance Program
VIII. Assessment Maturity vs. Target Maturity DS4.1 IT Continuity Framework
5 DS4.10 Post-resumption Review
4
DS4.2 IT Continuity Plans
3 2 DS4.3 Critical IT Resources
DS4.9 Offsite Backup Storage
1 0
DS4.4 Maintenance-IT Cont. Pan
DS4.8 IT Serv. Recover/Resume
DS4.5 Testing of the IT Continuity Plan
DS4.7 Distribution of the IT Continuity Plan
Assessment DS4.6 IT Continuity Plan Training
© 2009 ISACA. All rights reserved. Page 36
Target
