02_GEIT

Auditing Business Continuity

Reviewing the Business continuity plan

Reviewing the alternative processing contract

Evaluation of prior test results

Evaluation of offsite storage

Interviewing key personnel

Evaluation of security at offsite facility

Reviewing Insurance coverage

Business Continuity Planning

IT BCP

Disasters & other disruptive events

Busi.conti.
planning
process

BC policy

Risk assessment & analysis

BIA

BC strategy development

Str.execution (Risk countermeasures)

BC plan development

BC awareness training

BC plan testing

BC Plan-monitoring,
maintenance & updation

BC planning incident mgt.

Negligible incidents

Minor incidents

Major incidents

Crisis

Busi.Impact analysis

Auditing IT Governance Structure & Implementation

Reviewing documentation

Reviewing
contractual commitment

Info. Tech. Mgt. Practices

Human resource management

Hiring

Employee handbook

Promotion policies

Training

Scheduling & time reporting

Employee performance evaluations

Required vacations

Termination policies

Sourcing practices

Outsourcing practices

Industry standards/benchmarking

Globalization practices & strategies

Cloud computing

Outsourcing & 3rd party audit reports

Financial management practices

IS budgets

Software development

Quality management

Info.security mgt.

Performance optimisation

PDCA

Six sigma & lean sigma

IT BSC

KPI

Benchmarking

BPR

Root cause analysis

Life cycle cost-benefit analysis

Organisational change management

Roles & responsibilities

SoD within IT

SoD controls

Transaction authorisation

Custody of assets

Access to data

Compensating controls

Audit trails

Reconciliation

Exception reporting

Transaction logs

Supervisory reviews

Independent reviews

Risk management

Developing a risk mgt.program

Risk mgt.process

Asset identification

Evaluation of threats & vulnerabilities to assets

Evaluation of impact

Calculation of risk

Evaluation of & response to risk

Risk analysis methods

Qualitative analysis

Words or descriptive

Semi-quantitiative analysis

Descriptive ranking associated with numeric scale

Quantitative analysis

Numeric values

Corporate
Governance

Definition

Governance of Enterprise IT

Broad processes

IT resource management

Performance management

Compliance management

Good practices for GEIT

Mgt.frameworks

COBIT5

ISO/IEC 27001

Standards

ITIL

IT-Grundschutz catalogs

ISM3-Info.security Mgt.maturity model

ISO/IEC 38500:2008
Cor.gov. of info.technology

ISO/IEC 20000-Specification for service mgt.

IT Governing
Committees

IT Balanced Scorecard

Perspectives

1

Mission

Strategies

Measures

Sources

2

Future orientation

Operational excellence

User orientation

Business contribution

Info.security governance

Board of directors / senior mgt.

Senior mgt.

Info.security standards committee

Chief information security officer

Enterprise Architecture

Informations Systems Strategy

Strategic planning

IT Steering committee

Maturity & Process Improvement Models

COBIT Process Assessment Model (PAM)

IDEAL model

Initiating

Diagnosing

Establishing

Acting

Learning

IT investment & allocation practices

Policies &
procedure
s

Policies

Info.security policy

Document

Procedures

IT Strategu committee

IT steering committee

FEA (Federal Ent.Archi.)
(USA)

Performance reference model

Business reference model

Service component reference model

Technical reference model

Data reference model