IT Governance & Management

1. IT Governance
Definition:
IT Governance is the framework that ensures IT investments,
strategies, and operations align with business objectives while
managing risks and delivering value.
Key Components:
1. Strategic Alignment
o Ensures IT goals support business goals.
o Example: If a company’s goal is digital transformation,
IT must prioritize cloud migration, automation, and
cybersecurity.
o Best Practice: Use Balanced Scorecards to track
alignment.
2. Value Delivery
o Ensures IT investments provide optimal ROI.
o Example: Implementing ERP systems to improve operational
efficiency.
o Best Practice: Business Case Justification for IT
projects.
3. Risk Management
o Identify, assess, and mitigate IT risks (cybersecurity,
compliance, operational).
o Example: Regular penetration testing to detect
vulnerabilities.
o Best Practice: Follow ISO 31000 or NIST SP 800-37 (Risk
Management Framework).
4. Resource Management
o Efficient use of IT resources (people, infrastructure,
applications).
o Example: Cloud cost optimization to reduce wasted
spending.
o Best Practice: IT Asset Management (ITAM) tools.
5. Performance Measurement
o Monitors IT effectiveness using KPIs and metrics.
o Example: System uptime (99.9%), Incident resolution time
(SLA compliance).
o Best Practice: COBIT 2019 Performance
Management framework.

1|Page
Governance Frameworks:
• COBIT 2019 (Best for audit & control)
• ITIL 4 (Best for IT service management)
• ISO/IEC 38500 (Corporate governance of IT)
• ISO 27001 (Information security governance)
2. IT Management
Definition:
IT Management involves the day-to-day execution of IT governance
policies, ensuring smooth IT operations and service delivery.
Key Areas:
1. IT Service Management (ITSM)
o Focuses on delivering IT services efficiently (ITIL
processes).
o Key Processes:
▪ Incident Management (Fix outages quickly)
▪ Change Management (Controlled IT changes)
▪ Problem Management (Root-cause analysis)
o Best Practice: ITIL 4 for service management.
2. Project Management
o Ensures IT projects are completed on time, within budget,
and meet objectives.
o Example: Implementing a new CRM system.
o Best Practice: PMBOK/PRINCE2 methodologies.
3. Security Management
o Protects IT assets from threats (cyberattacks, data
breaches).
o Key Controls:
▪ Access controls (RBAC, MFA)
▪ Encryption, Firewalls, SIEM tools
o Best Practice: NIST CSF, ISO 27001.
4. Vendor & Third-Party Management
o Ensures external IT providers (cloud, SaaS) meet security
& performance standards.
o Example: Reviewing SLAs (Service Level Agreements) with
AWS/Azure.
o Best Practice: Regular vendor audits & risk assessments.
5. Disaster Recovery & Business Continuity
o Ensures IT systems can recover from disruptions
(ransomware, natural disasters).
o Example: Backup strategies (3-2-1 rule), DR drills.
o Best Practice: ISO 22301 (BCMS).

2|Page
3. Governance vs. Management (Detailed Comparison)
Aspect IT Governance IT Management
Focus What & Why (Strategy, How (Execution,
Policies) Operations)
Responsibility Board, CEO, CIO IT Directors,
Managers, Teams
Tools COBIT, Balanced Scorecards ITIL, PMBOK, SIEM
Tools
Example Deciding to adopt cloud Migrating servers to
computing AWS

4. CISA Audit Perspective

As an IT auditor, CISA focuses on:
✔ Evaluating IT governance structure (Is there a clear IT strategy
approved by the board?).
✔ Assessing risk management (Are risks identified and mitigated
effectively?).
✔ Reviewing compliance (Does IT follow GDPR, HIPAA, SOX?).
✔ Auditing IT investments (Are IT projects delivering value?).
✔ Checking security controls (Are firewalls, encryption, and access
controls in place?).
Best Audit Practices:
• Use COBIT 2019 for governance audits.
• Apply NIST SP 800-53 for security control assessments.
• Perform ITIL process maturity assessments.
5. Real-World Examples
• Good Governance: A bank implements COBIT to align IT with
regulatory requirements (e.g., Basel III).
• Poor Governance: A company suffers a data breach because there was no risk
assessment process.
• Effective Management: An IT team uses ITIL Change Management to prevent system
outages during updates.
Conclusion:
• IT Governance = Direction & Oversight (Are we doing the right
things?).
• IT Management = Execution & Operations (Are we doing things
right?).
• CISA’s Role: Audit both to ensure compliance, risk management,
and value delivery.

3|Page
Information Systems Auditing Process
1. Definition & Objective
Definition:
A systematic process to evaluate and assess an organization’s IT
controls, policies, and procedures to ensure security, compliance,
and efficiency.
Primary Objectives:
✔ Ensure data integrity, confidentiality, and availability (CIA
triad).
✔ Verify compliance with laws, regulations (GDPR, SOX, HIPAA).
✔ Assess risk management and control effectiveness.
✔ Improve IT governance and operational efficiency.
2. Key Phases of IS Auditing
Phase 1: Planning & Preparation
Activities:
• Define audit scope (systems, processes, departments).
• Set audit objectives (e.g., check SOC 2 compliance, assess
cybersecurity controls).
• Gather documentation (policies, network diagrams, past audit
reports).
• Risk Assessment – Identify critical systems & potential
threats.
Best Practices:
Use COBIT 2019 for control frameworks.
Align with business objectives (ask: What are we trying to
protect?).
Phase 2: Fieldwork (Execution)
Activities:
• Testing Controls (automated & manual):
o Technical Tests:
▪ Vulnerability scans (Nessus, Qualys).
▪ Log analysis (SIEM tools like Splunk).
o Process Reviews:
▪ Check change management approvals.
▪ Verify backup & recovery procedures.
• Interviews with IT staff, managers.
• Sampling (selective data checks for accuracy).

4|Page
Examples:
• Access Control Audit:
o Are user permissions aligned with job roles?
(Check RBAC).
o Is MFA enforced for admins?
Best Practices:
Use automated tools (e.g., Wireshark for network audits).
Document evidence (screenshots, logs).
Phase 3: Reporting
Activities:
• Summarize findings (control gaps, non-compliance).
• Risk Rating (High/Medium/Low impact).
• Recommend corrective actions.
Example Audit Report Structure:
1. Executive Summary (Key issues in non-technical terms).
2. Detailed Findings (e.g., "No encryption for sensitive data").
3. Recommendations (e.g., "Implement AES-256 encryption").
Best Practices:
Follow IIA (Institute of Internal Auditors) reporting standards.
Use visuals (charts, tables) for clarity.
Phase 4: Follow-Up & Monitoring
Activities:
• Track remediation progress (e.g., patched vulnerabilities).
• Conduct re-audits if needed.
Best Practices:
Use ticketing systems (Jira, ServiceNow) to track fixes.
3. Types of IS Audits
Audit Type Focus Area Example
Compliance Audit Checks adherence to "Is customer data
laws (GDPR, PCI DSS) encrypted per PCI
DSS?"
Operational Audit Evaluates IT process "Is incident response
efficiency time under 1 hour?"
Financial Audit Ensures IT financial "Are cloud costs
controls (e.g., SaaS optimized?
spend)
Forensic Audit Investigates "How did the
breaches/data theft ransomware attack
happen?"

5|Page
4. Key Audit Frameworks & Standards
• COBIT 2019 – Best for IT governance audits.
• NIST SP 800-53 – Used for U.S. federal security controls.
• ISO 27001 – Information security management systems (ISMS).
• ITIL 4 – Auditing IT service management processes.
5. Common Audit Tools
• Network Scanners: Nessus, Nmap.
• Log Analyzers: Splunk, ELK Stack.
• Compliance Checkers: Qualys, OpenSCAP.
6. CISA Exam Focus Areas
✔ Understand audit planning & risk assessment.
✔ Know testing methodologies (e.g., sampling, penetration tests).
✔ Learn reporting & communication techniques.
Example CISA Question:
"What is the FIRST step in an IS audit?"
Answer: Define scope & objectives (Planning Phase).
Conclusion
• IS Auditing = Systematic review of IT controls.
• Phases: Plan → Execute → Report → Follow-up.
• Goal: Ensure security, compliance, and efficiency.

Protection of Information Assets

1. Definition & Importance
Definition:
Safeguarding data, systems, and infrastructure from threats to ensure confidentiality,
integrity, and availability (CIA Triad).
Why It Matters?
✔ Prevents data breaches, financial loss, reputational damage.
✔ Ensures compliance with GDPR, HIPAA, PCI-DSS.
✔ Supports business continuity & trust.
2. Key Components of Information Asset Protection
A. Data Security Controls
Control Type Examples Purpose
Encryption AES-256, TLS/SSL Protect data at rest & in
transit
Access Controls RBAC, MFA, Least Privilege Limit unauthorized access
Data Masking Tokenization, Anonymization Hide sensitive data in non-
prod environments
Backup & Recovery 3-2-1 Rule (3 copies, 2 Ensure data availability
media, 1 offsite)

6|Page
B. Network Security
• Firewalls (Next-Gen Firewalls like Palo Alto)
• Intrusion Detection/Prevention Systems (IDS/IPS)
• VPNs & Zero Trust Architecture
• Network Segmentation (Isolate critical systems)
C. Endpoint Security
• Antivirus/Anti-malware (CrowdStrike, SentinelOne)
• Endpoint Detection & Response (EDR)
• Patch Management (Regular updates for OS/apps)
D. Physical Security
• Biometric Access (Fingerprint scanners)
• Surveillance Cameras & Alarms
• Environmental Controls (Fire suppression, HVAC for servers)
3. Risk Management for Information Assets
A. Risk Assessment Steps
1. Identify Assets (Data, hardware, software)
2. Identify Threats (Hacking, insider threats, natural disasters)
3. Assess Vulnerabilities (Unpatched systems, weak passwords)
4. Calculate Risk (Likelihood × Impact)
5. Mitigate Risks (Apply controls, insurance, backups)
B. Risk Treatment Strategies
• Avoidance (Discontinue risky activity)
• Mitigation (Implement security controls)
• Transfer (Cyber insurance)
• Acceptance (Low-risk, high-cost scenarios)
4. Security Standards & Frameworks
• ISO 27001 (Information Security Management)
• NIST Cybersecurity Framework (CSF)
• PCI-DSS (For payment card data)
• SOC 2 (For cloud service providers)
5. Incident Response & Disaster Recovery
A. Incident Response Plan (IRP)
1. Preparation (Train team, define roles)
2. Detection & Analysis (SIEM tools, logs)
3. Containment (Isolate affected systems)
4. Eradication (Remove malware, patch flaws)
5. Recovery (Restore from backups)
6. Lessons Learned (Post-incident review)

B. Disaster Recovery Plan (DRP)

• RTO (Recovery Time Objective): Max tolerable downtime (e.g., 4
hours).
7|Page
 • RPO (Recovery Point Objective): Max data loss acceptable
(e.g., 1 hour).
• Backup Strategies: Full, incremental, differential backups.
6. CISA Exam Focus Areas
✔ Understand encryption methods & key management.
✔ Know access control models (DAC, MAC, RBAC).
✔ Learn incident response steps.
✔ Study compliance frameworks (ISO 27001, NIST).
Example CISA Question:
"Which control BEST prevents unauthorized data access?"
Answer: Role-Based Access Control (RBAC).
7. Best Practices for Protection
• Regular security audits & penetration testing.
• Employee training (Phishing awareness).
• Multi-layered defense (Defense in depth).
• Continuous monitoring (SIEM, UEBA tools).
Conclusion
• Protecting information assets = CIA Triad + Risk Management.
• Use frameworks like ISO 27001 & NIST CSF for structured
security.
• Prepare for incidents with IRP & DRP.

IT Operations & Business Resilience

1. Definition & Importance
IT Operations:
Day-to-day management of IT infrastructure (networks, servers, applications) to
ensure availability, performance, and security.
Business Resilience:
An organization’s ability to adapt to disruptions (cyberattacks, disasters) while
maintaining critical operations.
Why It Matters?
✔ Minimizes downtime & financial losses.
✔ Ensures customer trust & regulatory compliance.
✔ Supports long-term business continuity.
2. Key Components of IT Operations

8|Page
A. IT Service Management (ITSM)
Process Purpose Example
Incident Mgmt Restore services quickly Fixing a server crash
Change Mgmt Control IT changes safely Approving a software
update
Problem Mgmt Find root causes of Solving frequent network
recurring issues outages
Asset Mgmt Track IT hardware/software Managing license renewals

Best Practice: Use ITIL 4 framework for ITSM.

B. System & Network Operations
• Monitoring Tools (Nagios, SolarWinds, Prometheus).
• Patch Management (Automate updates for OS/apps).
• Capacity Planning (Ensure systems handle peak loads).
C. Backup & Recovery
• 3-2-1 Backup Rule:
o 3 copies of data.
o 2 different storage types (cloud + external HDD).
o 1 offsite backup.
• Test Restores (Regularly verify backup integrity).
3. Business Resilience Strategies
A. Business Continuity Planning (BCP)
1. Business Impact Analysis (BIA):
o Identify critical functions (e.g., payroll, customer support).
o Define RTO (Recovery Time Objective) and RPO (Recovery Point Objective).
2. Develop Recovery Plans:
o Alternate work sites (e.g., remote work setups).
o Backup power (generators, UPS).
B. Disaster Recovery (DR)
• DRP vs. BCP:
o BCP = Keeps business running during disruptions.
o DRP = Focuses on IT system recovery.
• DR Testing:
o Tabletop Exercises (Simulate disasters on paper).
o Full Failover Tests (Switch to backup data centers).
C. High Availability (HA) & Redundancy
• HA Clusters (Failover servers for zero downtime).
• Load Balancers (Distribute traffic across servers).
• Geographic Redundancy (Data centers in different regions).

9|Page
4. Risk Management for Resilience
A. Threat Scenarios
Threat Mitigation Strategy

Cyberattack (Ransomware) Offline backups, EDR solutions

Natural Disaster (Flood) Geographic redundancy
Power Failure UPS, backup generators

B. Resilience Frameworks
• ISO 22301 (Business Continuity Mgmt).
• NIST SP 800-34 (IT Disaster Recovery).
• COBIT 5/2019 (Align IT ops with business goals).

5. CISA Exam Focus Areas

✔ Understand ITSM processes (Incident, Change, Problem Mgmt).
✔ Know BCP/DRP components (BIA, RTO, RPO).
✔ Study high-availability architectures.
✔ Learn resilience testing methods.
Example CISA Question:
"What is the PRIMARY goal of Change Management?"
Answer: Minimize risks from IT changes.

6. Best Practices
• Automate monitoring & alerts (e.g., SIEM tools).
• Conduct annual disaster drills.
• Document all procedures (Runbooks, playbooks).
• Train employees on resilience protocols.

Conclusion
• IT Operations = Daily IT management.
• Business Resilience = Preparing for disruptions.
• Combine ITSM, BCP, and DRP for robust operations.

Acquisition, Development & Implementation of IS

Overview
Objective: Ensure IT systems are acquired, built, and deployed securely, efficiently, and
aligned with business needs.

10 | P a g e
Key Phases:
1. Acquisition → Buying/leasing software/hardware.
2. Development → Building custom systems (SDLC).
3. Implementation → Deploying systems into production.
Why It Matters?
✔ Avoid cost overruns, security flaws, project failures.
✔ Ensure regulatory compliance (GDPR, SOX).
✔ Deliver business value.
2. Phase 1: Acquisition
A. Procurement Process
1. Needs Assessment
o Define business requirements (e.g., "Need a CRM for sales teams").
2. Vendor Evaluation
o Compare cost, support, security, scalability.
o Check vendor reputation (references, reviews).
3. Contract Negotiation
o Include SLAs (Service Level Agreements), data ownership, exit clauses.
B. Key Risks & Controls
Risk Control
Vendor lock-in Favor open standards, modular systems
Hidden costs Demand transparent pricing models
Security vulnerabilities Require third-party security audits

Best Practice: Use RFPs (Request for Proposals) for fair vendor
selection.
3. Phase 2: Development
A. System Development Life Cycle (SDLC)
Phase Activities CISA Focus
Planning Define scope, budget, Ensure alignment with business
timeline goals
Design Create architecture Review security
(DB, UI, APIs) controls (encryption, access)
Development Write code, unit Check secure coding
testing practices (OWASP Top 10)
Testing QA, penetration Verify test coverage
testing, UAT
Deployment Rollout to production Assess change management
B. Development Methodologies
• Waterfall (Sequential; good for stable requirements).
• Agile (Iterative; flexible but needs strong governance).
• DevSecOps (Integrates security into CI/CD pipelines).

11 | P a g e
Best Practice:
• Code reviews + static/dynamic analysis tools (SonarQube,
Checkmark).
• Comply with ISO 27034 (Application Security).
4. Phase 3: Implementation
A. Deployment Strategies
Strategy Pros Cons
Big Bang Fast rollout High risk of failure
Phased Low risk, gradual adoption Longer timeline
Pilot Test with small user group Delays org-wide
Testing first rollout
B. Critical Controls
• Data Migration Checks (Ensure no corruption/loss).
• User Training (Minimize resistance to new systems).
• Rollback Plan (Revert if deployment fails).
Best Practice: Use sandbox environments for pre-launch testing.
5. CISA Audit Focus Areas
✔ Verify SDLC documentation (design specs, test reports).
✔ Assess vendor management (contracts, due diligence).
✔ Review security controls in developed systems.
✔ Check post-implementation reviews (lessons learned).
Example CISA Question:
"What is the PRIMARY risk of skipping UAT (User Acceptance
Testing)?"
Answer: System may not meet business needs.
6. Common Pitfalls & Mitigations
Pitfall Mitigation
Scope creep Enforce change control boards
Inadequate testing Allocate 20-30% of timeline to QA
Poor vendor oversight Conduct quarterly vendor audits

7. Frameworks & Standards

• COBIT 5/2019 (Governance of IT investments).
• NIST SP 800-64 (Security in SDLC).
• ITIL 4 (Service transition best practices).
Conclusion
• Acquisition: Choose vendors wisely.
• Development: Follow secure SDLC.
• Implementation: Deploy with rollback plans.
• Auditors must verify all phases!

12 | P a g e