PART 4 – CISA Domain 2 – Governance and Management of IT
- What are the various Information Security roles and their Responsibilities?
- What is Business Continuity Planning (BCP)?
- What is Business Impact Analysis (BIA)?
10.Information Security – Roles and Responsibilities:
|a. Systems development manager
||Responsible for programmers and analysts who implement new systems and maintain existing systems
|b. Project management
|Responsible for planning and executing IS projects and may report to a project management office or to the development organization
|c. Help desk (service desk)
||Responds to technical questions and problems faced by users
|d. Quality assurance (QA) manager
|Responsible for negotiating and facilitating quality activities in all areas of information technology.
|e. Information security management
||Separate IT department, headed by a CISO. The CISO may report to the CIO or have a dotted-line (indirect reporting) relationship to the CIO
|f. Systems administrator
||Responsible for maintaining major multiuser computer systems, including LAN, WLANs, WANs, etc.
|g. Database Administration
||Maintains the data structures in the corporate database system
11. Business Continuity Planning (BCP):
- The purpose of business continuity/disaster recovery is to enable a business to continue offering critical services in the event of a disruption and to survive a disastrous interruption to activities.
- The first step in preparing a BCP is to identify the business processes of strategic importance—those key processes that are responsible for both the permanent growth of the business and for the fulfillment of the business goals
- Based on the key processes, the risk management process should begin with a risk assessment
- The result of the risk assessment should be the identification of the following:
- The human resources, data, infrastructure elements and other resources (including those provided by third parties) that support the key processes
- A list of potential vulnerabilities—the dangers or threats to the organization
- The estimated probability of the occurrence of these threats
- The efficiency and effectiveness of existing risk mitigation controls (risk countermeasures)
- BCP is primarily the responsibility of senior management
- ISO for BCP – ISO 22301
- The IT business continuity plan should be aligned with the strategy of the organization. If the IT plan is a separate plan, it must be consistent with and support the corporate BCP.
Business Continuity policy:
- Is a document approved by top management that defines the extent and scope of the business continuity effort (a project or an ongoing program) within the organization
- Should be pro-active
- Is a most critical corrective control
- The business continuity policy serves several other purposes:
- Its internal portion is a message to internal stakeholders (i.e., employees, management, board of directors) that the company is undertaking the effort, committing its resources and expecting the rest of the organization to do the same.
- Its public portion is a message to external stakeholders (shareholders, regulators, authorities, etc.) that the organization is treating its obligations (e.g., service delivery, compliance) seriously.
- Business Continuity Planning (BCP) Incident Management:
- An incident is
- any unexpected event, even if it causes no significant damage
- Dynamic in nature
- Depending on an estimation of the level of damage to the organization, all types of incidents should be categorized. A classification system could include the following categories:
- Negligible – incidents are those causing no perceptible or significant damage
- Minor – events are those that, while not negligible, produce no negative material (of relative importance) or financial impact
- Major – incidents cause a negative material impact on business processes and may affect other systems, departments or even outside clients
- Crisis – major incident that can have serious material (of relative importance) impact on the continued functioning of the business and may also adversely impact other systems or third parties.
12. Business Impact Analysis (BIA):
- critical step in developing the business continuity strategy and the subsequent implementation of the risk countermeasures and BCP in particular.
- used to evaluate the critical processes (and IT components supporting them) and to determine time frames, priorities, resources and interdependencies
- Different approaches for performing BIA:
- Detailed questionnaire
- Interview groups of key users
- Bring relevant IT personnel and end users (i.e., those owning the critical processes) together in a room to come to a conclusion regarding the potential business impact of various levels of disruptions.