CISA 27th Edition 3 PDF

Summary

This document provides guidelines for information security governance, focusing on organizational structure, roles, and responsibilities related to IT. It discusses IT governing committees, and the roles played by senior management and boards of directors.

Full Transcript

Guidelines for executing procedures are also the responsibility of operations.
Guidelines should contain information that will be helpful in executing the
procedures. This can include clarification of policies and standards,
dependencies, suggestions and examples, narrative clarifying the procedures,
background information that may be useful, and tools that can be used.
Guidelines can be useful in many other circumstances as well, but they are
considered here in the context of information security governance.

2.4 ORGANIZATIONAL STRUCTURE
Organizational structure is a key component to governance. It identifies the
key decision-making entities in an enterprise. The following section provides
guidance for organizational structures, roles and responsibilities within EGIT.
Actual structures may differ depending on the size, industry and location of
an enterprise.

2.4.1 IT GOVERNING COMMITTEES
Traditionally, organizations have had executive-level steering committees to
handle IT issues that are relevant organizationwide. There should be a clear
understanding of both the IT strategy and steering levels. ISACA has issued a
document offering a clear analysis (figure 2.3). Organizations may also have
other executive-and mid-management-led committees guiding IT operations,
such as an IT executive committee, IT governance committee, IT investment
committee and/or IT management committee.

Note: The analysis of IT steering committee responsibilities is information
the CISA should know.

2.4.2 ROLES AND RESPONSIBILITIES OF SENIOR
MANAGEMENT AND BOARDS OF DIRECTORS
Information security governance requires strategic direction and impetus. It
requires commitment, resources and assignment of responsibility for
information security management as well as a means for the board to
determine that its intent has been met.
Effective information security governance can be accomplished only by
involvement of the board of directors and/or senior management in approving
policy; ensuring appropriate monitoring; and reviewing metrics, reports and
trend analysis.

Board of Directors
Members of the board need to be aware of the organization’s information
assets and their criticality to ongoing business operations. This can be
accomplished by periodically providing the board with the high-level results
of comprehensive risk assessments and business impact analysis (BIA). It
may also be accomplished by business dependency assessments of
information resources. These activities should include approval by board
members of the assessment of key assets to be protected, which helps ensure
that protection levels and priorities are appropriate to a standard of due care.

The tone at the top must be conducive to effective security governance. It is
unreasonable to expect lower-level personnel to abide by security measures if
they are not exercised by senior management. Senior management
endorsement of intrinsic security requirements provides the basis for ensuring
that security expectations are met at all levels of the enterprise. Penalties for
noncompliance must be defined, communicated and enforced from the board
level down.

Figure 2.3—Analysis of IT Steering Committee Responsibilities
Level IT Strategy Committee IT Steering Committee
Responsibility Provides insight and advice to the Decides the overall level of IT
board on topics such as: spending and how costs will be
– The relevance of developments in allocated
IT from a business perspective Aligns and approves the enterprise’s
– The alignment of IT with the IT architecture
business direction Approves project plans and budgets,
– The achievement of strategic IT setting priorities and milestones
objectives Acquires and assigns appropriate
– The availability of suitable IT resources
resources, skills and Ensures that projects continuously
infrastructure to meet the meet business requirements,
strategic objectives including reevaluation of the
– Optimization of IT costs, business case
including the role and value Monitors project plans for delivery
 delivery of external IT sourcing of expected value and desired
– Risk, return and competitive outcomes, on time and within
aspects of IT investments budget
– Progress on major IT projects Monitors resource and priority
– The contribution of IT to the conflict between enterprise divisions
business (i.e., delivering the and the IT function as well as
promised business value) between projects
– Exposure to IT risk, including Makes recommendations and
compliance risk requests for changes to strategic
– Containment of IT risk plans (priorities, funding,
– Direction to management relative technology approaches, resources,
to IT strategy etc.)
– Drivers and catalysts for the Communicates strategic goals to
board’s IT strategy project teams
Is a major contributor to
management’s IT governance
responsibilities and practices

Authority Advises the board and management Assists the executive in the delivery
on IT strategy of the IT strategy
Is delegated by the board to provide Oversees day-to-day management of
input to the strategy and prepare its IT service delivery and IT projects
approval Focuses on implementation
Focuses on current and future
strategic IT issues

Membership Board members and specialists who Sponsoring executive
are not board members Business executives (key users)
Chief information officer (CIO)
Key advisors as required (i.e., IT,
audit, legal, finance)

The board of directors is the accountable and liable body for the organization.
Accountability means the board takes the responsibility of ensuring the
organization follows the laws, behaves in an ethical manner, and makes
effective use of its resources.

Senior Management
Implementing effective security governance and defining the strategic
security objectives of an organization is a complex task. As with any other
major initiative, it must have leadership and ongoing support from executive
management to succeed. Developing an effective information security
strategy requires integration with and cooperation of business process
owners. A successful outcome is the alignment of information security
activities in support of business objectives. The extent to which this is
achieved will determine the cost-effectiveness of the information security
program in achieving the desired objective of providing a predictable, defined
level of assurance for business information and processes and an acceptable
level of impact from adverse events.

Information Security Standards Committee
Security affects all aspects of an organization to some extent, and it must be
pervasive throughout the enterprise to be effective. To ensure that all
stakeholders impacted by security considerations are involved, many
organizations use a steering committee comprised of senior representatives of
affected groups. This facilitates achieving consensus on priorities and trade-
offs. It also serves as an effective communications channel and provides an
ongoing basis for ensuring the alignment of the security program with
business objectives. It can also be instrumental in achieving modification of
behavior toward a culture more conducive to good security.

The chief information security officer (CISO) will primarily drive the
information security program to have realistic policies, standards, procedures
and processes that are implementable and auditable and to achieve a balance
of performance in relation to security. However, it is necessary to involve the
affected groups in a deliberating committee, which may be called the
information security standards committee (ISSC). The ISSC includes
members from C-level executive management and senior managers from IT,
application owners, business process owners, operations, HR, audit and legal.
The committee will deliberate on the suitability of recommended controls and
good practices in the context of the organization, including the secure
configuration of operating systems (OSs) and databases. The auditor’s
presence is required to make the systems auditable by providing for suitable
audit trails and logs. Legal is required to advise on liability and conflicts with
the law. This is not a prescriptive list of members to be included on the ISSC.
Members of the committee may be modified to suit the context of the
organizations, and other members may be co-opted as necessary to suit the
control objectives in question.

Chief Information Security Officer
All organizations have a CISO whether or not anyone holds the exact title.
The responsibilities may be performed by the CIO, CTO, CFO or, in some
cases, the CEO, even when there is an information security office or director
in place. The scope and breadth of information security is such that the
authority required and the responsibility taken will inevitably make it a senior
officer or top management responsibility. This could include a position such
as a CRO or a CCO. Legal responsibility will, by default, extend up the
command structure and ultimately reside with senior management and the
board of directors. Failure to recognize this and implement appropriate
governance structures can result in senior management being unaware of this
responsibility and the related liability. It also usually results in a lack of
effective alignment of business objectives and security activities.
Increasingly, prudent management is elevating the position of information
security officer to a senior management position, as organizations
increasingly recognize their dependence on information and the growing
threats to it.

IT Steering Committee
The enterprise’s senior management should appoint a planning or steering
committee to oversee the IT function and its activities. A high-level steering
committee for information systems is an important factor in ensuring that the
IT department is in harmony with the corporate mission and objectives.
Although not a common practice, it is highly desirable that a member of the
board of directors who understands the risk and issues is responsible for IT
and is chair of this committee. The committee should include representatives
from senior management, each line of business, corporate departments, such
as HR and finance, and the IT department.

The committee’s duties and responsibilities should be defined in a formal
charter. Members of the committee should know IT department policies,
procedures and practices. They should have the authority to make decisions
within the group for their respective areas.

This committee typically serves as a general review board for major IS
projects and should not become involved in routine operations. Primary
functions performed by this committee include:
Reviewing the long- and short-range plans of the IT department to ensure
 that they align with the corporate objectives.
Reviewing and approving major acquisitions of hardware and software
within the limits approved by the board of directors.
Approving and monitoring major projects and the status of IS plans and
budgets, establishing priorities, approving standards and procedures, and
monitoring overall IS performance.
Reviewing and approving sourcing strategies for select or all IS activities,
including insourcing or outsourcing, and the globalization or offshoring of
functions.
Reviewing adequacy of resources and allocation of resources in terms of
time, personnel and equipment.
Making decisions regarding centralization versus decentralization and
assignment of responsibility.
Supporting development and implementation of an enterprisewide
information security management program.
Reporting to the board of directors on IS activities.
Note: Responsibilities will vary from enterprise to enterprise; the
responsibilities listed are the most common responsibilities of the IT steering
committee. Each enterprise should have formally documented and approved
terms of reference for its steering committee, and IS auditors should
familiarize themselves with the IT steering committee documentation and
understand the major responsibilities that are assigned to its members. Many
enterprises may refer to this committee with a different name. The IS auditor
needs to identify the group that performs the previously mentioned functions.

Matrix of Outcomes and Responsibilities
The relationships between the outcomes of effective security governance and
management responsibilities are shown in figure 2.4. This matrix is not
meant to be comprehensive but is intended merely to indicate some primary
tasks and the management level responsible for those tasks. Depending on the
nature of the organization, the titles may vary, but the roles and
responsibilities should exist even if different labels are used.

Note: While figure 2.4 is not specifically tested in the CISA exam, the
CISA candidate should be aware of this information.
Source: ISACA, Information Security Governance: Guidance for Information Security Managers, 2008

2.4.3 IT ORGANIZATIONAL STRUCTURE AND
RESPONSIBILITIES
An IT department can be structured in different ways. One such format is
shown in figure 2.5. The organizational chart depicted includes functions
related to security, applications development and maintenance, technical
support for network and systems administration, and operations. The
organizational structure shows the IT department typically headed by an IT
manager/director or, in large organizations, by a CIO.

Note: The CISA exam does not test specific job responsibilities because
they may vary among organizations. However, universally known
responsibilities such as business owners, information security functions
and executive management might be tested, especially when access
controls and data ownership are tested. A CISA should be familiar with
SoD.
IT Roles and Responsibilities
An organizational chart is an important item for all employees to know,
because it provides a clear definition of the department’s hierarchy and
authorities. Additionally, job descriptions; responsible, accountable,
consulted, informed (RACI) charts; and swimlane workflow diagrams
provide IT department employees a more complete and clear direction
regarding their (and others’) roles and responsibilities. The IS auditor should
spend time in an auditee’s area to observe and determine whether the formal
job description and structures coincide with real ones and are adequate.
Generally, the following IT functions should be reviewed:
Systems development manager—Systems development managers are
responsible for programmers and analysts who implement new systems and
maintain existing systems.
Project management—Project managers are responsible for planning and
executing IS projects and may report to a project management office or to
the development organization. Project management staff use budgets
assigned to them for the delivery of IS initiatives and report on project
progress to the IT steering committee. Project managers play a central role
in executing the vision of the IT strategy and IT steering committees by
planning, coordinating and delivering IT projects to the enterprise.
Help desk (service desk)—More and more companies find a help desk
function critical for their IT departments. A help desk is a unit within an
organization that responds to technical questions and problems faced by
users. Most software companies have help desks. Questions and answers
can be delivered by telephone, fax, email or instant messaging. Help desk
personnel may use third-party help desk software that enables them to
quickly find answers to common questions. A procedure to record the
problems reported, solved and escalated should be in place for analysis of
the problems/questions. It helps in monitoring the user groups and
improving the software/information processing facility (IPF) services.
– Help desk/support administration includes the following activities:
Acquire hardware/software (HW/SW) on behalf of end users.
Assist end users with HW/SW difficulties.
Train end users to use HW/SW and databases; answer end-user
queries.
 Monitor technical developments and inform end users of pertinent
developments.
Determine the source of problems with production systems and initiate
corrective actions. Inform end users of problems with HW/SW or
databases that could affect their control of the installation of HW/SW
upgrades.
Initiate changes to improve efficiency.
End user—End users are responsible for operations related to business
application services. There is a small distinction between the terms “end
user” and “user.” End user is slightly more specific and refers to someone
who will access a business application. User is broader and could refer to
administrative accounts and accounts to access platforms.
End-user support manager—The end-user support manager acts as a
liaison between the IT department and the end users.
Data management—Data management personnel are responsible for the
data architecture in larger IT environments and tasked with managing data
as corporate assets.
Quality assurance (QA) manager—The QA manager is responsible for
negotiating and facilitating quality activities in all areas of IT.

Information security management—This is a function that generally
needs to be separate from the IT department and headed by a CISO. The
CISO may report to the CIO or have a dotted-line (indirect reporting)
relationship to the CIO. Even when the security officer reports to the CIO,
 there is a possibility of conflict because the goals of the CIO are to
efficiently provide continuous IT services whereas the CISO may be less
interested in cost reduction if this impacts the quality of protection.

Vendor and Outsourcer Management
With the increase in outsourcing, including the use of multiple vendors,
dedicated staff may be required to manage the vendors and outsourcers. This
may necessitate staff performing the following functions:
Acting as the prime contact for the vendor and outsourcer within the IT
function
Providing direction to the outsourcer on issues and escalating internally
within the organization and IT function
Monitoring and reporting on the service levels to management
Reviewing changes to the contract due to new requirements and obtaining
IT approvals

Infrastructure Operations and Maintenance
An operations manager is responsible for computer operations personnel,
including all the staff required to run the data center efficiently and
effectively (e.g., computer operators, librarians, schedulers and data control
personnel). The data center includes the servers and mainframe, peripherals
such as high-speed printers, networking equipment, magnetic media, and
storage area networks. It constitutes a major asset investment and impacts the
organization’s ability to function effectively.

The control group is responsible for the collection, conversion and control
of input, and the balancing and distribution of output to the user community.
The supervisor of the control group usually reports to the IPF operations
manager. The input/output control group should be in a separate area where
only authorized personnel are permitted since they handle sensitive data.

Media Management
Media management is required to record, issue, receive and safeguard all
program and data files that are maintained on removable media. Depending
on the size of the organization, this function may be assigned to a full-time
individual or a member of operations who also performs other duties.
This is a crucial function. Therefore, many organizations provide additional
support through the use of software that assists in maintaining inventory,
movement, version control and configuration management.

Data Entry
Data entry is critical to the information processing activity and includes
batch entry or online entry. In most organizations personnel in user
departments do their own data entry online. In many online environments,
data are captured from the original source (e.g., electronic data interchange
[EDI] input documents, data captured from bar codes for time management,
departmental store inventory). The user department and the system
application must have controls in place to ensure that data are validated,
accurate, complete and authorized.

Supervisory Control and Data Acquisition
With the advancement of technology and need to acquire data at their
origination site, automated systems for data acquisition are being deployed by
organizations. These systems include barcode readers or systems that are
referred to as supervisory control and data acquisition (SCADA). The term
SCADA usually refers to centralized systems that monitor and control entire
sites, or complexes of systems spread out over large areas (on the scale of
kilometers or miles). These systems are typical of industrial plants, steel
mills, power plants, electrical facilities and similar. Most site control is
performed automatically by remote terminal units (RTUs) or by
programmable logic controllers (PLCs). Host control functions are usually
restricted to basic site overriding or supervisory level intervention. An
example of automated systems for data acquisition are those used on oil rigs
to measure and control the extraction of oil and to control the temperature
and flow of water. Data acquisition begins at the RTU or PLC level and
includes meter readings and equipment status reports that are communicated
to SCADA as required. Data are then compiled and formatted in such a way
that a control room operator using human machine interfacing (HMI)
networks can make supervisory decisions to adjust or override normal RTU
or PLC controls. Data may also be fed to a history log, often built on a
commodity database management system, to allow trending and other
analytical auditing.
SCADA applications traditionally used dedicated communication lines, but
there has been a significant migration to the Internet. This has obvious
advantages, among them easier integration in the company business
applications. However, a disadvantage is that many such companies are
nation-critical infrastructures and become easy prey to cyberattacks.

Systems Administration
The systems administrator is responsible for maintaining major multiuser
computer systems, including local area networks (LANs), wireless local area
networks (WLANs), wide area networks (WANs), virtual
machine/server/network environments, personal area networks (PANs),
storage area networks (SANs), intranets and extranets, and mid-range and
mainframe systems. Typical duties include the following activities:
Adding and configuring new workstations and peripherals
Setting up user accounts
Installing systemwide software
Performing procedures to prevent/detect/correct the spread of viruses
Allocating mass storage space

Small organizations may have one systems administrator, whereas larger
enterprises may have a team of them. Some mainframe-centric organizations
may refer to a systems administrator as a systems programmer.

Security Administration
Security administration begins with management’s commitment.
Management must understand and evaluate security risk and develop and
enforce a written policy that clearly states the standards and procedures to be
followed. The duties of the security administrator should be defined in the
policy. To provide adequate SoD, this individual should be a full-time
employee who may report directly to the infrastructure director. However, in
a small organization, it may not be practical to hire a full-time individual for
this position. The individual performing the function should ensure that the
various users are complying with the corporate security policy and controls
are adequate to prevent unauthorized access to the company assets (including
data, programs and equipment). The security administrator’s functions
usually include:
 Maintaining access rules to data and other IT resources.
Maintaining security and confidentiality over the issuance and maintenance
of authorized user IDs and passwords.
Monitoring security violations and taking corrective action to ensure that
adequate security is provided.
Periodically reviewing and evaluating the security policy and suggesting
necessary changes to management.
Preparing and monitoring the security awareness program for all
employees.
Testing the security architecture to evaluate the security strengths and
detect possible threats.
Working with compliance, risk management and audit functions to ensure
that security is appropriately designed and updated based on audit feedback
or testing.

Database Administration
The database administrator (DBA), as custodian of an organization’s data,
defines and maintains the data structures in the corporate database system.
The DBA must understand the organization and user data and data
relationship (structure) requirements. This position is responsible for the
security of the shared data stored on database systems. The DBA is
responsible for the actual design, definition and proper maintenance of the
corporate databases. The DBA usually reports directly to the director of the
IPF. The DBA’s role includes:
Specifying the physical (computer-oriented) data definition.
Changing the physical data definition to improve performance.
Selecting and implementing database optimization tools.
Testing and evaluating programming and optimization tools.
Answering programmer queries and educating programmers in the database
structures.
Implementing database definition controls, access controls, update controls
and concurrency controls.
Monitoring database usage, collecting performance statistics and tuning the
database.
Defining and initiating backup and recovery procedures.
The DBA has the tools to establish controls over the database and the ability
to override these controls. The DBA also has the capability of gaining access
to all data, including production data. It is usually not practical to prohibit or
completely prevent access to production data by the DBA. Therefore, the IT
department must exercise close control over database administration through
the following approaches:
SoD
Management approval of DBA activities
Supervisor review of access logs and activities
Detective controls over the use of database tools

Systems Analyst
Systems analysts are specialists who design systems based on the needs of
the user and are usually involved during the initial phase of the system
development life cycle (SDLC). These individuals interpret the needs of the
user and develop requirements and functional specifications as well as high-
level design documents. These documents enable programmers to create a
specific application.

Security Architect
Security architects evaluate security technologies; design security aspects of
the network topology, access control, identity management and other security
systems; and establish security policies and security requirements. One may
argue that systems analysts perform the same role; however, the set of skills
required is quite different. The deliverables (e.g., program specifications
versus policies, requirements, architecture diagrams) are different as well.
Security architects should also work with compliance, risk management and
audit functions to incorporate their requirements and recommendations for
security into the security policies and architecture.

System Security Engineer
The system security engineer, as defined under ISO/IEC 21827:2008:
Information technology—Security techniques—Systems Security Engineering
—Capability Maturity Model, provides technical information system security
engineering support to the organization that encompasses the following:
Project life cycles, including development, operation, maintenance and
 decommissioning activities
Entire organizations, including management, organizational and
engineering activities
Concurrent interactions with other disciplines, such as system software and
hardware, human factors, test engineering, system management, operation
and maintenance
Interactions with other organizations, including acquisition, system
management, certification, accreditation and evaluation

Applications Development and Maintenance
Applications staff are responsible for developing and maintaining
applications. Development can include developing new code or changing the
existing setup or configuration of the application. Staff develop the programs
or change the application setup that will ultimately run in a production
environment. Therefore, management must ensure that staff cannot modify
production programs or application data. Staff should work in a test-only
environment and turn their work to another group to move programs and
application changes into the production environment.

Infrastructure Development and Maintenance
Infrastructure staff are responsible for maintaining the systems software,
including the OS. This function may require staff to have broad access to the
entire system. IT management must closely monitor activities by requiring
that electronic logs capture this activity and are not susceptible to alteration.
Infrastructure staff should have access to only the system libraries of the
specific software they maintain. Usage of domain administration and
superuser accounts should be tightly controlled and monitored.

Network Management
Today many organizations have widely dispersed IPFs. They may have a
central IPF, but they also make extensive use of:
LANs at branches and remote locations
WANs, where LANs may be interconnected for ease of access by
authorized personnel from other locations
Wireless networks established through mobile devices
Network administrators are responsible for key components of this
infrastructure (e.g., routers, switches, firewalls, network segmentation,
performance management, remote access). Because of geographical
dispersion, each LAN may need an administrator. Depending on the policy of
the company, these administrators can report to the director of the IPF or, in a
decentralized operation, may report to the end-user manager, although at least
a dotted line to the director of the IPF is advisable. This position is
responsible for technical and administrative control over the LAN. This
includes ensuring that transmission links are functioning correctly, backups
of the system are occurring, and software/hardware purchases are authorized
and installed properly. In smaller installations this person may be responsible
for security administration over the LAN. The LAN administrator should
have no application programming responsibilities but may have systems
programming and end-user responsibilities.

2.4.4 SEGREGATION OF DUTIES WITHIN IT
Actual job titles and organizational structures vary greatly from one
organization to another depending on the size and nature of the business.
However, an IS auditor should obtain enough information to understand and
document the relationships among the various job functions, responsibilities
and authorities, and assess the adequacy of the SoD. SoD avoids the
possibility that a single person could be responsible for diverse and critical
functions in such a way that errors or misappropriations could occur and not
be detected in a timely manner and in the normal course of business
processes. SoD is an important means by which fraudulent and/or malicious
acts can be discouraged and prevented. Duties that should be segregated
include:
Custody of the assets
Authorization
Recording transactions

If adequate SoD does not exist, the following could occur:
Misappropriation of assets
Misstated financial statements
Inaccurate financial documentation (i.e., errors or irregularities)