CISA Exam Preparation Training

INTRODUCTION
Nico Syafrizal
Framework IT Governance

Control is defined as the policies, procedures, practices and organisational structures designed to:
1. provide reasonable assurance that business objectives will be achieved; and
2. undesired events will be prevented or detected and corrected.

•What is not defined cannot be controlled

• If we can measure it, we can manage it;
•What is not controlled cannot be measured
• If we can manage it, we can achieve it.
•What is not measured cannot be improved
IT Life Cycle
Technology Business
trends requirements

Strategy Risk
Identify strategic investments Control
Set budgets strategic risks

investment programs
Ensure risks
Development system Operation are managed
improvement needs

tactical &
Operate & maintain systems operational risks
New systems implementation
Recommend improvements
handover

resources Business Support resources

Develop & provide

resources & support
 Main IT Activities
Strategy IT Strategy & Planning Risk Control
IT Architecture
IT Investment Strategy & Planning
IT Policies & Standard
Development Operation
Application Operation /Maintenance
Program & Project Management Infrastructure Operation / Quality Audit
Change Management / Business Maintenance
Security
Process Improvement IT Services Delivery & Support Audit
Application Development / Capacity Provisioning Compliance
Implementation System Security Management Audit
Infrastructure Development / License Management
Release
Implementation
Management

Business Support
Financial Management
Human Resource Management Performance Measurement
Quality Management Logistic & Asset Management
Lead Audit Training ISO 27001:2013

Technology Business
trends requirements

Strategy Risk
Identify strategic investments Control
Set budgets strategic risks

investment programs
Ensure risks
Development system Operation are managed
improvement needs

tactical &
New systems implementation
handover
Operate & maintain systems
Recommend improvements
operational risks
IS Audit Standards Practices
resources Business Support resources

Develop & provide

resources & support

Audit Subject
Lead Audit Training ISO 27001:2013

Technology Business
trends requirements

Strategy Risk
Identify strategic investments Control
Set budgets strategic risks

investment programs
Ensure risks
Development system Operation are managed
improvement needs

tactical &
Operate & maintain systems operational risks
New systems implementation
Recommend improvements
handover

resources Business Support resources

Develop & provide

resources & support

Audit Subject

ISO 19011 Guideline for

Auditing Management
Information System Block

Data Center
A/C, UPS, dll
Network

Application
Database
Operation System
H/W (server)

User/Admin/Developer
ITGC - IT Operation

• Network
Management

• Backup and Restore

• Disaster Recovery
• Capacity Management
• Patch and Anti Virus
• License Management
• Environmental Control
• Maintenance

• User Support
ITGC - Access to Program and Data

• User account and password

security
• User Authorization Matrix
• User Training and User Manual
ITGC - Program Changes

• Source Code Management

• Change Request
• System and User Testing
• Authorization of Transfers to Live
Environment
ITGC - Program Development

• Project Initiation
• User Requirement Definition
• In-House Development/Package Selection
• System and User Testing
• Data Conversion
• Go-Live Decision
Risk Management (ISO 3100:2018)
Faktor Enabler/Disabler

ISO 27001:2013
COBIT5: ISACA.org
Information Security Risk Mgt
Risk Level

15
Probability Examples: Risk Assessment

16
Impact Examples: Risk Assessment

17
Risk Assessment
Contoh Risk Assessment
Examples: Risk Assessment

20
Three Lines of Defense

21
Three Lines of Defense: Manage
Risk

22