CISA Domain 2 – Governance and Management of IT

Kenneth Magee
March 24, 2011 by
Kenneth Magee

CISA – Domain 2 – Governance and Management of IT

ISACA has revamped the CISA material and this domain now contains the Business Continuity section from the old Domain 6.  There are 13 areas that you need to understand in Domain 2.

1)      Corporate Governance

  • Know the definition for corporate governance
  • Know what ISO 26000 is (30,000 foot view)
  • Familiarize yourself with OECD 2004, OECD Principles of Corporate Governance

2)     IT Governance (ITG)

  • ITG is concerned with two issues; What are they and what drives them?

3)     Information Technology Monitoring and Assurance Practices for Board and Senior Management

  • Who is responsible for ITG
  • Name the five focus areas for ITG
  • Familiarize yourself with the different IT Governance frameworks (COBIT, ISO27001, ITIL, IBPC, ISM3, AS8015 and ISO38500)
  • Know audit’s role in ITG
  • Know what the responsibilities are for the IT Strategy Committee and the IT Steering Committee (this is another one of those charts that you’ve just got to memorize)
  • Another memory chart – know the relationships of Security Governance outcomes to Management Responsibilities
  • Look at the Zachman Framework and also the hierarchy of five reference models of the Federal Enterprise Architecture (FEA)

4)     Information Systems Strategy

  • Understand the importance of IT strategic planning and the primary function performed by the Steering Committee

5)     Maturity and Process Improvement Models

  • Know the definitions for CMMI, TSP and PSP
  • The IDEAL model from SEI is getting a lot of attention from ISACA

6)     IT Investment and Allocation Practices

  • Go to the ISACA website and download the ValIT document and read it, enough said.
  • What does IT Portfolio Management allow organizations to do that the Balanced Scorecard doesn't

7)     Policies and Procedures

  • The highest policy is the organization's information security policy
  • Other security policies might include 1)data classification, 2)acceptable use, 3) End-user computing, and 4) Access control
  • Know the different things to look for when you review the information security policy
  • Procedures are required and they are "step by step instructions"  <-- that's a hint!!!!!

8)    Risk Management

  • What are management's options?  Avoid, Mitigate, Transfer, Accept
  • Know the different levels that IT Risk Management needs to operate at:  Operational, Project, and Strategic
  • Understand the difference between Qualitative Analysis, Semiquantitative analysis and Quantitative analysis
  • Know how to calculate Annual Loss Expectancy (ALE)

9)     IS Management Practices (Five sub areas you will need to understand)

  • Human Resources Management (before, during and after)
  • Sourcing Practices (Insourced, Outsourced, Hybrid as well as the concepts and defintions for Onsite, Offsite and Offshore)
  • Organizational change management - nothing gets changed without management approval
  • Financial Management Practices - you need to understand the concept of Chargeback
  • Quality Management - You need to be aware of QM and ISO9000 but ISACA does not test specifics on any ISO standard

10)     IS Organizational Structure and Responsibilities

  • Roles and responsibilities - there's a chart in the CISA manual entitled Segregation of Duties Control Matrix, this is another one of those things to MEMORIZE
  • There are also some definitions specific to DBA and the QA personnel that you will need to read about

11) Auditing IT Governance Structure and Implementation

  • In this area you need to know that the first thing you do is "Gain an Understanding of the Business" means reading the Information Security Policy
  • After that, go get the organization charts, job descriptions and your Memorized Segregation of Duties Control Matrix and see if you can find discrepancies

12) Business Continuity Planning (this is the new section which was moved from the old Disaster Recovery and Business Continuity Planning Domain 6)

  • First and foremost you have to have a Business Impact Analysis of all the business functions, then you need some evaluation criteria to determine which ones are critical
  • There are four (4) classifications for systems (Critical, Vital, Sensitive, Nonsensitive) memorize the definitions of each of the four
  • Why do you buy insurance?  To transfer risk of course
  • Another key element to BCP is testing and you should know the different types included preparedness and full operational

13) Auditing Business Continuity

  • Review the BCP
  • Review the test results, we're assuming they tested the BCP of course and they should have documented "Lessons Learned"  <--  Another hint, ISACA likes this term

I hope this helps you understand Domain 2

For more on the CISA certification, view our CISA certification hub.

Kenneth Magee
Kenneth Magee

Ken is President and owner of Data Security Consultation and Training, LLC. He has taught cybersecurity at the JAG school at the University of Virginia, KPMG Advisory University, Microsoft and several major federal financial institutions and government agencies. As CISO for the Virginia Community College System, Ken’s focus was the standardization of security around the ISO 27000 series framework. Writing is one of his passions and he has authored and/or co-authored several courses, including CISSP, CISA, CISM, CGEIT, CRISC, DoD Cloud Computing SRG and a course for training Security Control Assessors using NIST SP 800-53A. Ken has also achieved a number of certifications, including CISSP, SSCP, CCSP, CAP, ISSMP, ISSAP, ISSEP, CISM, CISA, CAC, CEH, ISO9000LA, ISO14001LA, ISO27001PA, Security+, CySA+, CASP, CTT+, CPT, GSEC, GSNA, GWAPT, CIA, CGAP, CFE, MCP, MCSA, MCSE and MCT.