UP TO 50% OFF on Combo Courses!

PART 3 – CISA Domain 2 – Governance and Management of IT

PART 3 – CISA Domain 2 – Governance and Management of IT

  • What is Risk Management?
  • What are the steps involved in Risk Management process?
  • What is Human Resource Management?
  • What are the Sourcing Practices?

7.Risk Management:

  • The process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives and what countermeasures to take in reducing risk to an acceptable level.
  • encompasses identifying, analyzing, evaluating, treating, monitoring and communicating the impact of risk on IT processes
  • The Board may choose to treat the risk in any of the following ways
    1. Avoid—Eliminate the risk by eliminating the cause
    2. Mitigate—Lessen the probability or impact of the risk by defining, implementing and monitoring appropriate controls
    3. Share/Transfer (deflect, or allocate)—Share risk with partners or transfer via insurance coverage, contractual agreement or other means
    4. Accept—Formally acknowledge the existence of the risk and monitor it.
Points to remember: The best to assess IT risks is achieved by – evaluating threats associated with existing IT assets and IT projects.
  • The steps of Risk Management process involve:
    • Step – 1: Asset identification – Examples: Information, Data, Software, Hardware, documents, personnel.
    • Step – 2: Evaluation of threats and vulnerabilities:
  1. Threat – A threat is a person or event that has the potential for impacting a valuable resource in a negative manner. Common clauses of threats are:
  • Errors
  • Malicious damage/attack
  • Fraud
  • Theft
  • Equipment/software failure
  1. Vulnerability – Vulnerability refer to weaknesses in a system. They make threat outcomes possible and potentially even more dangerous. Examples are:
  • Lack of user knowledge
  • Lack of security functionality
  • Inadequate user awareness/education (e.g., poor choice of passwords)
  • Untested technology
  • Transmission of unprotected communications
  • Step 3 – Evaluation of the impact – The result of a threat agent exploiting a vulnerability is called an impact
    • In commercial organizations, threats usually result in
  1. a direct financial loss in the short term or
  2. an ultimate (indirect) financial loss in the long term
  • Examples of such losses include:
    • Direct loss of money (cash or credit)
    • Breach of legislation (e.g., unauthorized disclosure)
    • Loss of reputation/goodwill
    • Endangering of staff or customers
    • Breach of confidence
    • Loss of business opportunity
    • Reduction in operational efficiency/performance
    • Interruption of business activity
  • Step 4 – Calculation of Risk – A common method of combining the elements is to calculate for each threat: probability of occurrence × magnitude of impact. This will give a measure of overall risk.
  • Step 5 – Evaluation of and response to Risk
    • After risk has been identified, existing controls can be evaluated or new controls designed to reduce the vulnerabilities to an acceptable level.
    • These controls are referred to as countermeasures or safeguards and include actions, devices, procedures or techniques
    • Residual risk, the remaining level of risk after controls have been applied, can be used by management to further reduce risk by identifying those areas in which more control is required.

8.Human Resource Management:

  • On Hiring process, the first step before hiring a candidate is background checks (e.g., criminal, financial, professional, references, qualifications)
  • A required vacation (holiday) ensures that once a year, at a minimum, someone other than the regular employee will perform a job function. This reduces the opportunity to commit improper or illegal acts. During this time, it may be possible to discover fraudulent activity as long as there has been no collusion between employees to cover possible discrepancies (Mandatory leave is a control measure)
  • Job rotation provides an additional control (to reduce the risk of fraudulent or malicious acts) because the same individual does not perform the same tasks all the time. This provides an opportunity for an individual other than the regularly assigned person to perform the job and notice possible irregularities.
  • On Termination policies, policies be structured to provide adequate protection for the organization’s computer assets and data. The following control procedures should be applied:
    • Return of all devices, access keys, ID cards and badges
    • Deletion/revocation of assigned logon IDs and passwords
    • Notification to appropriate staff and security personnel regarding the employee’s status change to “terminated”
    • Arrangement of the final pay routines
    • Performance of a termination interview
Points to remember:

  • The CISA candidate should be aware of the above process – from hiring to termination. ISACA tests on the knowledge at each step – on what the enterprise should/should not do.
  • The employees should be aware of the enterprise IS policy. If not, the lack of knowledge would lead to unintentional disclosure of sensitive information
  • When an employee is terminated, the immediate action/most important action/first step that the enterprise should do is – disable the employee’s logical access and communicate on the termination of the employee 

9.Sourcing Practices:

  • Delivery of IT functions can include:
    • Insourced – Fully performed by the organization’s staff
    • Outsourced – Fully performed by the vendor’s staff
    • Hybrid – Performed by a mix of the organization’s and vendor’s staffs; can include joint ventures/supplemental staff
  • IT functions can be performed across the globe, taking advantage of time zones and arbitraging labor rates, and can include:
    • Onsite – Staff work onsite in the IT department.
    • Offsite – Also known as nearshore, staff work at a remote location in the same geographic
    • Offshore—Staff work at a remote location in a different geographic region 
  • Objective of outsourcing – to achieve lasting, meaningful improvement in business processes and services through corporate restructuring to take advantage of a vendor’s core competencies
  • The management should consider the following areas for moving IT functions offsite or offshore:
    • Legal, regulatory and tax issues
    • Continuity of operations
    • Personnel
    • Telecommunication issues
    • Cross-border and cross-cultural issues
Points to remember:

  • The most important function of IS management in outsourcing practices is  – monitoring the outsourcing provider’s performance
  • The enterprise cannot outsource the accountability for IT security policy. The accountability always lies with the senior management/Board of directors
  • When the outsourcing service is provided in another country, the major concern for the IS auditor is – the legal jurisdiction can be questioned
  • The clause in outsourcing contract that can help in improving the service levels and minimize the costs is – Gain-sharing performance bonuses.

Part 1, Part 2, Part 3, Part 4, Part 5

Aswini Srinath ( )
Writer And Editor
I am a qualified Chartered Accountant based out of Chennai, with 8+ years of experience in various roles in finance domain including CA Practice, financial reporting and auditing. I have always been keen to challenge myself by exploring potential capabilities outside of my core competency. Picked up Information Security as one such thing. Cleared CISA with 2nd Rank in ISACA Chennai Chapter in 2019. Since then, i have been sharing my learning and experience to a small group of avid followers, helping them prepare for their CISA exams. This article is also one such attempt, where I summarize the key areas in each domain based on the importance and weightage from an exam point of view.
Cultivating a CISSP Mindset 10 Questions to Elevate Your Expertise