PART 4 – CISA Domain2 – Governance and Management of IT

PART 4 – CISA Domain2 – Governance and Management of IT
What are the different Information Security roles and what are their responsibilities?
What is Business Continuity Planning?
What is Business Impact Analysis?

10.Information Security – Roles and Responsibilities
RoleResponsibilitiesa. System development managerResponsible to programmers and analysts who develop new systems and maintain existing onesb. Project management
Responsible for planning and executing IS project plans. Reports to a project management office, or to the development organizationc. Help desk (service desk). Responds to technical questions and solves problems for users
d. Quality assurance (QA Manager)
Responsible for negotiating and facilitating quality activities in all areas IT. Information security managementA separate IT department that is headed by a CISO. The CISO can report to the CIO, or have a dotted line (indirect reporting relationship) relationship with the CIOf. Systems administratorResponsible for maintaining major multiuser computer systems, including LAN, WLANs, WANs, etc.g. Database AdministrationMaintains the data structures in the corporate database system11. Business Continuity Planning (BCP).
Business continuity/disaster restoration is designed to allow businesses to offer critical services in the event that there is a disruption, and to be able to recover from a catastrophic interruption.
First, identify the key business processes that are strategic to the business. These key processes are crucial for the company’s growth and achievement of its business goals.
The key processes should be used to guide the risk management process. A risk assessment should be the first step in the risk management process.
The outcome of the risk assessment should include the identification of the following: Human resources, data, infrastructure elements, and other resources (including those provided to third parties) that support key processes
A list of possible vulnerabilities–the threats or dangers to the organization
These threats are likely to occur at a high probability
The effectiveness and efficiency of existing risk mitigation measures (risk countermeasures).

BCP is primarily the responsibility for senior management
ISO for BCP – ISO 22301
The IT business continuity plan must be in line with the organization’s strategy. If the IT plan is a standalone plan, it should be compatible with and support the corporate BCP.
Policy on Business Continuity:
A document that is approved by the top management and defines the scope and extent of the business continuity effort (a program or project) within the organization.
Pro-active should be encouraged
This is the most important corrective control
The business continuity policy serves many other purposes. Its internal portion communicates to employees, management, and board of directors that the company is taking the initiative, committing its resources, and expects the rest of the organisation to do the same.
Its public portion sends a message to other stakeholders (shareholders and regulators, authorities, etc.). It shows that the organization is taking its obligations (e.g. service delivery, compliance), seriously.

Business Continuity Planning (BCP), Incident Management
Unexpected events can cause significant damage, even if they are not expected.
Nature is dynamic

All types of incidents need to be classified based on the extent of damage done to the organization. A classification system could include the following categories:Negligible – incidents are those causing no perceptible or significant damage
Minor – Events are those that, although not negligible, have no financial or material impact.
Major – Incidents can have a significant negative impact on business processes. They may also affect other systems, departments, or clients outside of the company.
Crisis – major incident that occurred in Thailand