hand, and the relative costs of reducing the risks to acceptable levels sets the stage for adequate information security planning and management of the function. The overall information security plan will be the blueprint for the infor- mation security-related activities. This will necessarily be a dynamic plan that is periodically revisited and adjusted as changes occur in the threat- vulnerability landscape. The information technology security plan should have several of the following common elements: ■■ Periodic risk assessments and evaluations of current security status ■■ Incident identification and response, and follow-up processes ■■ Policy, standards, and leading practices of identification creation and communication ■■ Security awareness and training processes ■■ Communication-related security activities (phone or dial-up, Inter- net, trading partner connectivity, and so forth) ■■ Data access control activities, such as information ownership, data classification, firewall management, content control tool administra- tion, and so forth ■■ User account administration activities including adding users, mod- ifying access needs, terminating accounts, periodically revalidating access needs, resetting password, and managing accounts and data access pairings ■■ Systems security activities, such as security plan and configuration documentation, implementation of minimum-security baselines, hardening of systems, maintenance of proper patch levels on sys- tems, and investigation of new technologies ■■ Monitoring activities, such as network- and host-based intrusion detection implementation and management, and gathering log activity and reviewing it for violations in security policy ■■ Business partner access and risk management through vehicles like trust agreements, third party security assessments, and so on ■■ New project security design, participation, and implementation including risk assessment and the recommendations of appropriate security technology commensurate with the risk ■■ Security architecture design and implementation for the network, data systems, and interfaces 102 Chapter 2 As with all other aspects of management, there are a few key items to focus on. You should evaluate any available documentation in terms of policies, procedures, and standards. Determine whether they are sufficient for the environment and appropriate commensurate with the risks and management’s risk tolerance position. Analyze the strategy and mission that is being followed by information security, including plans and pro- jects. Ensure that the priorities of management are understood and being addressed. Make sure that new and emerging threats are being considered in a timely manner and that the plans of the information security organi- zation are being adjusted accordingly. Determine whether the stated dead- lines and project milestones are realistic and appropriately funded, given the available resources and obstacles for the project plans. Identify any KPIs or process metrics used to encapsulate the performance of the infor- mation security processes and evaluate them. Draw conclusions on how well they represent the activities of the information security staff, whether they are communicated and understood by management, and if they are meeting the needs of the decision makers running the business. Evaluating Business Continuity Management As with most technical functions, you will be evaluating from a manage- ment perspective; the review of the business continuity management begins with a review of the applicable policies in place and corporate cul- ture and risk tolerance related to this subject. Based on current studies, this is an area of risk mitigation that often gets a lot more lip service that action. This is especially true where systems and processes are large and complex, which is rightly so because fail-over processing can be an expensive propo- sition. Business continuity planning can be thought of as an insurance pol- icy against service disruption. Management’s philosophy and strategies towards disaster recovery and service continuity must be understood before you will be able to assess the sufficiency of the continuity planning efforts that you will be analyzing adequately. This philosophy should be reconciled for consistency with the quality and service commitments stated in the overall business mission and goals documentation. Manage- ment can be understandably hesitant to fund business continuity pre- paredness because it can be argued that it may never be needed. It only takes one situation like a natural disaster or terrorist act, both of which are unanticipated and out of the management’s control by nature, to under- stand the need and value of investing in continuity preparedness and the need to plan for alternative courses of action. Management, Planning, and Organization of Information Systems 103 To ensure that risks and potential disruptions, which a business needs protection against, have been properly considered in the business continu- ity decision-making process, you will need to review the business impact analysis that has been completed and the related documentation. Business impact analysis is a process where each business function, IS operation, information system, and application is analyzed for the impact of its unavailability or disruption of processing capability. This analysis must involve the business owners and the management that is responsible for meeting the business objectives resulting from these provided services. In this impact analysis process, the business needs and tolerable margins for error are identified and documented. The resultant risks to the business caused by disruption from minor failures in service level up through major regional disasters are examined to determine the impact to the business at the various failure levels and scenarios. The results of this impact analysis will yield potential costs and losses for the various scenarios and provide a basis for evaluating the tolerance of unavailability for the given time spans and severity of disruption. Proper management of the business continuity process will ensure that a business impact analysis has been performed to a specific level of detail and depth with the involvement of business leaders and management. The management process will require documentation for these decisions and will accumulate all of the input into an overall strategy, prioritizing the various components into a comprehensive Business Continuity Plan (BCP) document. The IS organization will be required to prepare alternative courses of action that will meet the business objectives and the stated tol- erance for unavailability defined by the business management that they support. There will be decision hierarchies described within this plan that define who can declare a disaster at the various disruption levels, and this plan will adhere to the published BCP and disaster recovery policies issued by the organization. It also is important to ensure that manual business continuity processes exist, are documented, practiced, and prepared for by the business units. Disruptions will inevitably happen. Depending on the tolerance of the business process for disruption, there needs to be alternative processing procedures available for use while the IS organization is busy recovering the information technology. This is not an IS organization issue but is a crit- ical element of any recovery process and management would not be per- forming proper due diligence if it did to look to the business managers to support the business-in-progress while IT recovery was in progress. 104 Chapter 2 Once the tolerable limits of unavailability by the business organizations is known and documented, IS management will be expected to oversee the creation of achievable recovery plans that include all necessary aspects of the IS process and related elements (such as interfaces to return to an accept- able service level in the time frames identified by the business owners). This planning should be documented, exercised, modified based on the results of the testing conducted and reported on to senior management and the business organizations so that the current state of recoverability is known to the affected parties at all times. The current limits of the recovery process should be used to adjust the expectations of the business organizations and cyclical iterations of needs, and the recovery capabilities will need to be assessed and evaluated until satisfactory processes are established. The management of IS continuity processes will need to manage many issues related to the dynamic nature of both the businesses and the IS con- figuration. As an auditor, you will need to evaluate the processes in place for modifying processes and expectations as change management processes introduce variations to business needs, IT infrastructure, and systems. Ensuring that these changes are captured and translated into the plans in place will be a mark of good business continuity management. This will trickle down to the hardware, software, supplies, documentation, testing, and training prepared for the various disruption scenarios. Obviously, standard elements of disaster recovery and business continu- ity planning should not be overlooked in your evaluation of the manage- ment of these processes. These include ■■ Processes for inventorying all relevant information technology and systems; determining how they interact, their relative needs for recovery capabilities, and the dependencies of these systems on each other and external factors; and for reconciling of all of these interac- tions along with their business requirements into a prioritized list of what steps a recovery process should follow ■■ Processes for identifying hot sites, cold sites, or warm sites from which to recover when warranted, and ensuring that a relationship exists with an alternative processing arrangement ■■ Training for both the users, to employ alternative procedures during recovery situations, and IT personnel, to perform the recovery of technologies ■■ Maintaining the viability of the recovery plan through testing, review, and modification processes on a periodic and documented basis Management, Planning, and Organization of Information Systems 105 ■■ Communicating the realistic expectations and alternatives for busi- ness continuity along with responsibilities and tasks required during recovery scenarios to all affected parties ■■ Sufficiently and properly storing back up media and related processes including current recovery documentation, procedures, and stop gap processes for services that may be temporarily set aside in the throws of a recovery-in-progress, such as a security audit and management oversight processes ■■ Ensuring that all applicable legislative and regulatory issues are considered and appropriately addressed in the planning and execu- tion of recovery processes ■■ Ensuring that processes have been considered, documented, and tested to recover the business processes, transactions, and opera- tions to the point of the failure ■■ Appropriately protecting processing and information assets during recovery processing Evaluating IS Management Practices and Policy Compliance In this chapter, we have reviewed the many aspects of the management of IS organizations and their subprocesses. This chapter has covered the following: ■■ IS organization’s relationship to the rest of the organization ■■ How this overall need best results in proper system architecture planning ■■ Staff roles and segregation ■■ Policies, standards, and leading practices ■■ Third-party services management ■■ Contracts and service level agreements ■■ Project management practices ■■ Change management practices ■■ Problem management practices 106 Chapter 2 ■■ Quality assurance management ■■ The System Development Life Cycle ■■ Performance measurement and management techniques ■■ Security and business continuity management The details of these individual processes will be described in the subse- quent chapters. These details will provide you with a view of the audit- related activities you will need to perform to obtain a comfort level with each of these areas detailed processes and their related controls. Oversight and governance of these processes, and ensuring that these processes exist and are being managed and monitored appropriately are the primary focus of this section of the exam and book content. Making sure that the big pic- ture is being managed as well as the detailed processes are all part of the evaluation of the overall IS organization. Resources ■■ Information Security Policies Made Easy Version 9, Charles Cresson Wood (PentaSafe, 2002). ■■ Bits Framework: Managing Technology Risk for Information Tech- nology (IT) Service Provider Relationships, October 2001. (www.bai.org/pdf/BITS-update-120901.pdf, for example.) ■■ FFIEC guidance, “Risk Management of Outsourced Technology Ser- vices,” issued November 28, 2000. ■■ AICPA Issues SOP 98-1 for “Internal-Use” Computer Software Accounting, March 5, 1998 (www.aicpa.org/news/p030598a.htm). ■■ Information regarding the Gramm-Leach-Bliley Act of 1999 (www.senate.gov/~banking/conf/). ■■ U.S. Department of Health and Human Services—Administrative Simplification (http://aspe.hhs.gov/admnsimp/). ■■ RSA: Cybersecurity Czar Urges Cooperation, Spending—InfoWorld Daily News, February 19, 2002, article 1197. ■■ Information Systems Security Officer Guide, Dr. Gerald L. Kovacich, Butterworth-Heinemann, 1998. Management, Planning, and Organization of Information Systems 107 Sample Questions Here is a sampling of questions in the format of the CISA exam. These questions are related to the management, planning, and the organization of information systems, and will help test your understanding of this subject. Answers with explanations are provided in Appendix A. 1. Which criteria would an IS auditor consider to be the most important aspect of an organization’s IS strategy? A. It includes a mission statement. B. It identifies a mechanism for charging for its services. C. It includes a Web-based e-commerce strategy. D. It supports the business objectives. 2. From a segregation of duties standpoint, which of the following job functions should be performed by change control personnel? I. Verifying that the source and object code match before moving code into production II. Scheduling jobs to run in the production environment III.Making changes to production code and data when programs fail IV. Applying operating system patches A. I only B. I, II, and III C. II and IV only D. I and IV only 3. In a database management environment, which of the following functions should not be performed by the database administrator? A. Sizing table space and memory allocations B. Testing queries and consulting on table join limitations C. Reviewing logs for fraudulent activity or access errors D. Performing back ups and recovery procedures 108 Chapter 2 4. Many organizations require employees to take a mandatory one to two full weeks of contiguous vacation each year because A. The organization wants to ensure that their employee’s quality of life provides for happy employees in the workplace. B. The organizations wants to ensure that potential errors in process or irregularities in processing are identified by forcing a person into the job function as a replacement periodically. C. The organization wants to ensure that the benefits provided by the company are fully used to enable full employment of replacement staff as much as possible. D. The organization wants to ensure that their employees are fully cross-trained and able to take over other functions in case of a major disruption or disaster. 5. Which of the following would be most important in evaluating an IS organization’s structure? I. Human Resource policies that adequately describe job functions and duties sufficiently II. Organization charts that identify clear reporting and authority lines III.System configurations that are well documented in the system architecture IV. Training requirements and provisions for cross training that are documented along with roles and responsibilities A. I and II only B. I, II, III, and IV C. I, II, and IV only D. II and III only Management, Planning, and Organization of Information Systems 109 6. In a review of Human Resource policies in an IS organization, an IS auditor would be most concerned with the absence of A. Requirements for job rotation on a periodic basis B. A process for exit interviews to understand the employees’ perception of management C. The requirement for employees to sign a form signifying that they have read policies D. The existence of a termination checklist requiring that keys and company property are obtained and all access permissions are to be revoked upon termination 7. A System Development Life Cycle can be best described as A. A process used by programmers to document SOP 98-1 compliance B. A methodology used to guide the process of software creation project management C. A system design methodology that includes all the steps in prob- lem definition, solution identification, testing, implementation, and maintenance of the solution D. A process used to manage change control and approval cycles in a development environment 8. What is the primary difference between policies and standards? A. Policies provide a high-level framework and standards are more dynamic and specific. B. Policies take longer to write and are harder to implement than standards. C. Standards require interpretation and must have associated procedures. D. Policies describe how to do things and standards provide best practices guidance. 110 Chapter 2 9. Which of the following is not a standard? A. Approved access control methodologies B. How to request a new account C. Minimum security baseline for hardening a UNIX server D. Description of acceptable back up and recovery methods for production data 10. Which of the following are not key considerations when reviewing third-party services agreements? A. Provisions exist to retain ownership of intellectual property and assets. B. The lowest price possible is obtained for the service rendered. C. Business continuity planning and processes are part of the signed agreement. D. Security and regulatory concerns are identified as risks during negotiations. 11. When evaluating project management, which of the following would you be least concerned in seeing evidenced? A. Well-defined project scope and objectives B. Costs identified with the resources allocated to the project C. Timelines with achievable milestones D. Sponsorship and approval by business process management 12. When evaluating a change control process, the IS auditor would be most concerned if he or she observed the following: A. Change control personnel permitting systems programmers to patch operating systems B. Computer operators running jobs that edit production data C. Application programmers correcting data errors in production D. Change control personnel copying code from the production for testing purposes Management, Planning, and Organization of Information Systems 111 [...]... efficiency of the organization that you are reviewing and enable you to understand how to answer the CISA exam questions from an auditors perspective This subject matter comprises 13 percent of the exam s content and this next level of detail presented here will build on the management oversight of these areas described in Chapter 2 In order to master these subject areas for the CISA exam and to perform the. .. applications are the user interface and the point of access to the data being manipulated by the process Applications use operating systems to operate or control the hardware and network resources of the computer, but the operating systems are not accessed directly by the user When evaluating the development or acquisition of these systems, it is most important to understand the requirements of the user applications... Chapter 3 Understanding the materiality of the issues that need to be addressed helps the IS auditor to understand the risk reduction afforded by the countermeasure being applied If you are assessing the acquisition and implementation process, you will need to compare the business need for the added control against the options available to meet that need and the subsequent choice made along with the rationale... pricing is dickered over A final 133 134 Chapter 3 deal then is struck and the contracts are finalized You will want to review the contract for material purchases to ensure that they fairly address the particular risk areas you are now aware of according to the situation at hand Attention to details such as the delivery dates, the commitments and payouts based on these dates, testing and acceptance,... items cause problems for them in their daily work and they want as a smooth process as you do Thus, assurance of a win-win situation can bring benefits all around Now that you have identified the items to consider for maintenance, you will need to gather the requirements for the maintenance of these 135 136 Chapter 3 items in terms of frequency and quality Find out whether there are recommended maintenance... analysis of the bids should occur after the close of the bidding deadline and should be based on the responses received and the ability of the vendors to effectively comply with the bidding process requirements Noncompliant responses will need to be evaluated closely to determine whether they are acceptable to honor and what implication this may have to the other bidders Typically, this is the starting... solutions D Gathering of functional requirements from business sponsors 15 What is the primary concern that an IS auditor should consider when reviewing Executive Information Systems (EIS)? A Ensure that senior management actually uses the system to monitor the IS organization B Ensure that the information being provided is accurate and timely C Ensure that the information provided fairly summarizes the actual... give them an advantage over others in formulating a bid response All questions should be circulated to the other bidders to keep everyone at the same level of understanding Sometimes it is best to invite all vendors on the bidders list to meet with the bid solicitors initially so that everyone hears the same pitch, benefits from the questions asked by others, and is able to hear the answers at the same... structures that sit logically between the operating system and the application They provide the framework for data storage and retrieval through data tables that are linked together by sharing common data elements or keys Databases are interfaced from application front ends that provide application users the information they need to do their job Unique views that meet the needs specific to a user profile... required by the audit review, you might go as far as mapping out the functional requirements and processing flows of the business processes to the database tables and views, determining whether they are designed efficiently and effectively This would be a rather tedious and subjective effort and hindsight is always 20-20 At a minimum, you will want to examine the initialization parameters for the database . encapsulate the performance of the infor- mation security processes and evaluate them. Draw conclusions on how well they represent the activities of the information security staff, whether they are. Questions Here is a sampling of questions in the format of the CISA exam. These questions are related to the management, planning, and the organization of information systems, and will help test your understanding. efficiency of the organization that you are reviewing and enable you to understand how to answer the CISA exam questions from an auditors perspective. This subject matter comprises 13 percent of the exam s