DISA Module 5 by CA.Shweta Ajmera - Indore

Report
Module 5-DISA(ICAI)
By:
CA.Shweta Ajmera
M.Com,CA,DISA(ICAI)
[email protected]
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
MODULE 5
INFORMATION SYSTEMS ORGANIZATION
& MANAGMENT
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Information System Organisation &
Management
What is Information?
What is System?
What is Organisation?
What is management?
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Coverage – Module 5
This module covers 8 % of the DISA syllabus
i.e.approximately 16 questions.
It has been divided as follows:
Chapter 1 - Governance
Chapter 2 - The IS Management Process
Chapter 3 – Auditing Information Systems
Organisation & Management
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Unit-1
Governance
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
LEARNING GOAL
To understand as an auditor, structure of an IS
Organization and Management with respect
to various aspects of planning, policies,
standards, procedures and strategies.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Meaning
What is Governance?
--- To Govern???
--- To control???
Who will be the authority to govern
any organisation???
Any example???
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
GOVERNANCE
•
Enterprise Governance
• Corporate Governance
• IT Governance
• E- Governance
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
ENTERPRISE GOVERNANCE
Definition:
• The Set of responsibilities and Practices
exercised by the Board and executive
management with the goal of :
 providing strategic direction
 ensuring that objectives are achieved
 ascertaining that risks are managed
appropriately
 verifying that the organization's resources are
used responsibly
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
ENTERPRISE GOVERNANCE
ENTERPRISE
GOVERNANCE
CORPORATE
GOVERNANCE
i.e. Conformance –
Accountability & Assurance
(external, historical view)
BUSINESS
GOVERNANCE
i.e. Performance –
Value Creation & Resource
Utilisation
(internal, futuristic view )
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
ENTERPRISE GOVERNANCE
Corporate Governance :
Conformance of processes –
state or act of adherence to
certain specification, standard or
guideline
•
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Conformance
Conformance deals with external
processes like:
•
•
•
•
•
•
•
Board committees - audits, remuneration and
nominations
Compliance with regulations
Roles of the chairman and CEO
Board of directors – composition, training, nonexecutive directors etc
Internal Controls
Risk Management
Executive remuneration
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Business Governance :
Performance
•-
Value creation and Resource Utilization.
Helping Board of Directors to :
 Make strategic decisions
 Understand its appetite for risk
 Identify its key points of decision
making
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Corporate
Governance
i.e.
Conformance
Business
Governance
i.e.
Performance
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CORPORATE GOVERNANCE
Ethical corporate behaviour by directors or
others charged with governance in the
creation and presentation of wealth for all
stakeholders.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Corporate Governance
OECD says: The distribution of rights and
responsibilities among different participants in the
corporation,
such
as
board,
managers,
shareholders and other stakeholders and spells out
rules and procedures for making decisions on
corporate affairs. By doing this, it also provides
the structure through which the company
objectives are set and means of attaining those
objectives and monitoring performance.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Corporate Governance
Implications – Includes system for:
1.
2.
3.
4.
5.
6.
Managing and monitoring risks and
Companies must have an internal control system,
to (a) manage systems and (b) culture
Provide continued value addition to shareholders
& stakeholders
Maintain ethical corporate behavior – integrity,
openness, transparency, accountability
Implementation – dependent on right people,
making right decisions, at right time
Other – board committees, compliance, role of
CEO etc, board dynamics, & executive
remuneration
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Decision
making style
Info.
systems
Funct.
strategies &
policies
Goals
Culture &
Values
Compet.
advant.
Org.
structure
HR mant.
Mant.
of
systems
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Corporate Governance issues
determined success & failure
1.
2.
3.
4.
that
Culture, ethics and tone at the top
The role of the chief executive officer
The board of directors
The board of directors
Failures
Enron,Worldcom, Parmalat, Xerox
Successes
Tesco,Bangkok Mass Transit Systemand Southwest
Airlines
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Strategic Issues Underlying Success
& Failures
1.
2.
3.
4.
Choice and clarity of Strategy
Effective strategy execution.
Ability to respond to abrupt changes and
fast moving market conditions.
Ability to undertake successful mergers
and acquisitions
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Traditional Role of IT
•
•
Managing systems and project development
Managing computer operations and the data
centre
•
Training, staffing and developing IS skills
•
Providing technical services
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
New Role of IT (incorporating Traditional Role)
Initiation and design of strategic information systems
Infrastructure planning, acquisition, control and
implementing improvements
Linking the business with the Internet and e-commerce
processes
Systems Integration
Educating non technical staff about IT and technical
staff about the business
Support for end user computing through help desks
etc
Constant liaison with top management
Business process reengineering
Managing related outsourced function

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
INFORMATION TECHNOLOGY
GOVERNANCE
IT governance ensures that enterprise’s IT
sustains and extends the organization’s
strategies and objectives.
IT governance is a sub-set of corporate
governance
Ensures twin purposes:
 IT delivers value to the business, by aligning IT with
the objectives of the Organization.
 IT risks are reduced by embedding accountability
into the processes of the enterprise.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
IT Governance- Purpose
IT delivers value to the business, by aligning IT
with the objectives of the organisation, and
IT risks are reduced by embedding accountability
into the processes of the enterprise
Dependant on availability of :
The right information to the
Right persons
At the right time
At the right place most effectively and efficiently
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
IT Governance-Some benefits
By ensuring that IT resources are used optimally
and responsibly, it helps to decrease costs and
therefore promote efficiency
By optimising resources for automation it
ensures effective use of resources
Helps the business to avail better opportunities
and maximise benefits by aligning IT and
business objectives
Promotes the management of risks by providing
for adequate security, compliance and
reliability of information.

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Who needs IT governance ?
Those enterprises where:
Good corporate governance is lacking
There is insufficient liaison between the
board and the IT department
IT is not a regular item on the board
meetings agenda
There are no well defined rules and
procedures
People are not clear about what IT is
doing
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Who needs IT governance ?
There are many IT mishaps
There are many IT issues pending
resolution for a long time
The IT skills are decreasing
There are frequent network problems
There is no planning for contingencies ,
etc

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
INFORMATION TECHNOLOGY
GOVERNANCE
Best Practices in IT Governance :
 IT / IS Assurance System – recommended best
practices and providing assurance on their compliance.
 IT Strategy Committee – differs from IT steering
committee and works as advisory to Board.
 The Balance Scorecard
Information security governance – CIA issues etc
Enterprise architecture – Zachmann model used to
map it assets to promote management, planning and
understand IT investments from technology and business
perspectives and align them with organisational goals.
Risk management – assessment & treatment
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
IT STRATEGY COMMITTEE
Its
scope includes not only advice on strategy when
assisting the board in its IT governance responsibilities but
also to focus on IT value, risks and performance.
This
is a mechanism for incorporating IT governance
into enterprise governance.
As
a committee of the board, it assists the board in
overseeing the enterprise’s IT-related matters by ensuring
that the board has the internal and external information it
requires for effective IT governance decision making.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
IT BALANCE SCORECARD
The
standard IT balance scorecard is a process
management evaluation technique that can be applied to
the IT business governance process in assessing IT
functions and processes.
The method goes beyond the traditional financial
evaluation, supplementing it with measures concerning
customer ( user ) satisfaction, internal processes and ability
to innovate.
These additional measures drive organization toward
optimum use of IT, which is aligned with organization’s
strategic goals.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
INFORMATION SECURITY
GOVERNANCE
Information
security governance is a sub-set of
corporate governance that provides strategic
direction for the security activities and ensures
objectives are achieved.

It ensures that information security risks are
appropriately managed and enterprise
information resources are used responsibly.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
ENTERPRISE ARCHITECTURE
EA involves documenting
an organization’s IT
assets in a structured manner to facilitate,
understanding, management and planning for IT
investments.
An EA often involves both a current and
optimized state representation.
The current focus on EA is a response to the
increasing complexity of modern organizations, and
an enhanced focus on aligning IT with business
strategy and ensuring IT investments deliver real
returns.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
ENTERPRISE ARCHITECTURE
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
E- GOVERNANCE
Refers to the use of information
technology in order to exchange
information and services with citizens,
businesses and other arms of the
government.
 Government – to – Citizen
 Government – to – Customer
 Government – to – Business
 Government – to - Government
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Best Practices in Enterprise
Governance :

Strategic Oversight

Enterprise Risk Management
 The acquisition process
 Board performance
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Strategic Oversight

IT Strategy Committee
Balance Score Card
 CIMA Strategic Score card

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
IT Strategy Committee
It is a preparatory committee.
 The Board is still responsible for taking
Strategic Decision.
 This committee is responsible for taking
major decisions.

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CIMA Strategic Scorecard
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Enterprise Risk Management
This reconciles both the:
 Assurance
that the business understands risks
and is managing them actively i.e. conformance
 Need to better integrate risk management in
Decision Making activities at all levels i.e.
performance
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
The acquisition Process
Mergers & Acquisitions are increasing:
The Critical success factors are:
 Effective and experienced full time project
management
Thorough evaluation of synergies and ruthless
implementation
 Effective due deligence
 Use of experiences specialists in M & A
 Early identification of risks with appropriate risk
reduction actions.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Board Performance
Performance Evaluation &
Measurement centre
 Dynamics
 Design

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Chapter 1 Q n A
1. Which of the following statements is
FALSE?
(a) The CIMA scorecard deals with strategic
position, options, implementation and risks only
(b) The balanced scorecard also brings into focus
non-financial performance indicators
(c) The new role of the IT department also includes
liaison with top management
(d) Corporate governance is a system for managing
risks only
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Chapter 1 Q n A
2. Which of the following statements is
FALSE?
(a) The balanced scorecard deals with financial and
non-financial performance measurements
(b) Information security need not consider issues
like authenticity, reliability, accountability and
non-repudiation
(c) Risk treatment is an integral part of risk
management
(d) The Zachmann model involves documenting the
organisations IT assets in order to align them
with the strategic goals of the organisation
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Unit-2
The Information
System Management
Process
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Agenda
To understand-managing IS
 PDCA cycle(Deming Cycle)
 PDCA-application to management processes
 Types of plans
 Steering Committee
 How to acquire the IS resources
 Control Methodologies
 Benchmarking
 Budgets and Variances etc

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Introduction
Objectives of organisation
 Importance of management
 Importance of managing the IS department
 PDCA-main role
 Planning
 Long range plans
 Short range plans
By steering committee
 Role of management

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Objectives of Organisation
To survive-It does this by:
 Identifying and meeting the needs of
customers & other stakeholders, in order
to achieve competitive advantage in an
effective and efficient manner
 To achieve maintain and improve its
performance and capabilities
 Systematic process is required

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Importance of Management

Management is an organ whose
performance determines the performance
and even the survival of the Institution.
The importance of management



Getting things done
Determine goals based on needs
Need to empower people with responsibility,
authority and accountability
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
What Management has to do?
Determine goals on the basis of customer
needs. Eg. Touchsreen mobile
 To implement and operate the required
resources and processes.
 To monitor and review the process and
resources.
 Maintain and improve the system
 Structure follows Strategy
 People power

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Importance of managing ISD
It has an operational as well as a Strategic
role to play in the success of organisation.
 E-commerce, E-Business, and other IT
initiatives
 To manage ISD , we have to understand
the IS management system properly

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Deming Cycle
Conceived by Walter Shewhart in 1930’s
 Popularised by Dr.W.Edwards Deming
(leader in Modern quality control)
 4 step Problem Solving Process for quality
management.
 In six sigma which is quality control
system, this is known as DMAIC- Define,
Measure, Analyse, Improve and Control.

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
PDCA
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
PDCA Examples
ISO 9001- Requirement for quality
management system
 ISO 27001- Required for Information
security management system
 The Pearl River-Newyork

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
The Planning function
What should be done?
 How should it be done?
 When should it be done?
 Who should do it?

A plan is an action statement
CFS-Critical Success Factors
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Planning
Long Range Plans
 Short Range Plans


This plans are the responsibility of
Steering Committee.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Steering Committee
Appointment by-Board of directorsExecutive level
 Responsibilities-Charter –Approved by
Board
 Objective-IS department is aligned with
the organisation mission and objectives
 Chairman- Chaired by member of BOD
who understands information technology
risks and issues
 Representation

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Functions of Steering Committee
Board for large IS Projects only
 Review and Approve long range and short
range plans only
 Establish size and scope of IS function and
set principles
 Review and approve major acquisition of the
IS source within limits
 Approve and monitor the progress of major
project
 Liase between IS and the user department

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Advantages of Steering Committee
Top Management Involvement
 User representation
 Centralisation of Authority
 Promotes user ownership and systems
 Promotes Planning and Control
 Establishes user focus on IS

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Planning
Master Plan of the organisation- Main plan
prepared by BOD to guide the organisation
towards its objectives. It includes::
 A statement of mission, vision and values
 A statement determining strategic
objectives
 The strategies for achieving those objectives
 The factors that may favourably and
adversely affect the achievements of those
objectives
 Master plan is an aid for Long range and
short range plans

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Long Range Plans
Dimensions of Long range plans
----- Long Range----- Strategic Plans

Stratergy is derived from Greek word “
strategia”i.e art or science of being an
Army General which required them to
lead an army.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Strategic Plans
3 Dimensions
 Time- 2 to 5 years
 Projects- clearly defined and to be
completed in time
 Goals- Link between goals of
organisation and projects are clearly
defines

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Inputs for effective and efficient
planning
Stratergy and defined organisation goals
 Needs of customers and stakeholders
 Statutory, Regulatory and Contractual
needs
 Evaluating performance data on product and
processes
 Previous experiences
 any related risk assessment and treatment
information

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Outputs of good Planning
Defined product outcomes and support
process
 Skills and knowledge required by people
 Responsibility, Authority and accountability
of processes and improvement plans
 Resource needs
 Metrics for evaluating performances
 Need for improvement methods
 Need for Documentation and Records

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Contents of Long Range Plans
Current IS assessments-what do we have,
or where are we?
 Future IS assessments: Where do we want
to be in next five years in order to meet
our strategic objectives
 Development Strategy: Methodologies
and Vision used to reach the stated
Strategic Objectives

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Methods of creating LRP
SWOT
Eg. Dell
It needs:
1. Team Building
2. Scenario Models
3. Concensus creating exercises

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Short Range Plans
Operational or Tactical Plans
 They are derived at regular intervals from
LRP
 Micro issues:
 Project Reports
 Resource Allocation
 Implementation Schedule
 Initiatives to be undertaken

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Why does Planning Process always
fails??
Time Consuming
 Other immediate tasks
 Intensive mental effort
 Future look more uncertain

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
POLICIES
One of the function of the Steering
Committee is to develop policies
-- which are implemented through
standards, Guidelines and Procedures for
ISD.
-- Internal controls will flow from creation
of policies, which are required to ensure
that the stated objectives are met

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
What is Policy?
Formal statement made by the
management of their overall intention and
direction
 A stated coarse of action with a defined
purpose and scope in order to guide.

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Effective Policies
Ideally in writing
 Clear, Concise, communicated in writing
 Under stood by all employees
 Regularly viewed and updated
 Be made by top management in order to
ensure consistency

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
IS -policies
Use of internet and email
 Data Security
 Change management
 Outsourcing
 Data retention
 Human Resources
 Project Management etc

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
STANDARDS
 They
are documents which state
management rules, legal and
regulatory issues that are mandatory
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
GUIDELINES
 To
choose most appropriate practice
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Procedures

Procedures are detailed documents that
define in writing how to ensure or apply
the policy

“ How to do it” statements
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
G
O
A
L
S
Business goals based on
customer & stakeholder
needs
Framework of
management intent
POLICIES
STANDARDS
GUIDELINES
PROCEDURES
Management rules,
legal and regulatory
issues, that are
mandatory
Framework for
understanding the
standards & the list of
tools to do it
How to apply the
policies i.e. how to do it
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Leadership




Energy
Energise
Edge
Execute
Eg: General Electric- Kack Welch was
appointed as the chairman of GE in 1981.
His immediate aim is to make GE the leader
in every business in which it was competing
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Importance of Leadership
Plan
Lead
Organise
Control
Innovation etc.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
IS Resources- Acquisition
Applications
 Information
 IT infrastructure
 People

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Process
Process for the acquisition and
Development of IT hardware will cover
process like
 Make or Buy Decisions
 Inhouse or Outsourced Acquisition and
Development and so on
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Acquisition & Implementation
of resources
Policies lead to determination and acquisition of
resources and processes
Processes lead to procedures and work instructions
which should be documented
Procedures should be capable of
a) Verification – confirmation that procedure is
accurate and complete at a low level, e.g. have we
built the right product in accordance with
specifications.
b) Validation – corroboration that procedure is
right or wrong in that context at ahigher level
against standards and rules, e.g. did we build the right
product as per user requirements, and
c) Approval.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Framework of
management intent
derived from
business goals
Policies
Set of interrelated
processes
Systems
Set of inter-related
activities which
transform inputs
into outputs
Processes / Practices
Procedures
Detailed steps
to perform an
activity
Documented processes
which can be verified,
validated & approved
Work Instructions
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Implementation of Processes
What are Benchmarks?
 How much should we spend on ID
department?
 Are we getting value from IS department?
 What are the goals of Benchmarking?
 -- Ultimate goal is to implement the Best
Practices
 Where are Benchmarking Statistics
Obtained from?

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Implementation - Benchmarking
processes
Definition – performance comparisons
Goals – import best practices
Sources – ITIL, IBC, QAIINDIA.com,
STQC.NIC.IN
Examples – system workloads, CPU
performance, quality
processes, etc
Problems – may lead to higher spending, no
relationship
with organisational performance, value addition
may be
subjective, plagiarism by competitors
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Financial Management Process
IS Budget and Variances
 User Pays scheme and Transfer Prices

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
User Satisfaction Survey Process
To determine the effectiveness of the IS
department after the users and the IS
department have agreed on the level of
service through service levels or
operating level agreements
 The basic beliefs that undertakes is that
the user satisfaction is highly correlated
with system success and at regular
interval management should provide
customer satisfaction

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Capacity management and Growth
Planning Process

Process of Planning, Sizing and continously
optimising the IS capacity in order to
meet long and short term business goals
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Implementation - Capacity Management
processes
Benefits
Better customer satisfaction
Justification for spending
Avoid incorrect capacity sizing
Reduce capacity failures
Better alignment with business goals and IS resources
Better service level management
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Goal Accomplishment Processes
 Actual
with the Standard Fixed
i.e. Predefined Business and IT
Goals
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Implementation - Goal accomplishment
processes
Objective
Determine system effectiveness by comparing actual
performance against defined business and IT goals i.e. Key
Goal Indicators (KGIs)
Examples
Productivity improvements like lower data entry time
taken and errors
Meeting customer requirements for quality
Standardisation of processes
Lower hardware or software errors
Lower IS risks
Lower security violations etc
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Performance Management
Processes/ Indicators

Measurement is important, if anything
cannot be measured than it cannot be
improved on
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Implementation – Performance
Measurement
processes
Objective
Measure performance to make improvements through Key
Performance Indicators (KPIs)
Uses
Measure products / services
Assure accountability
Make budgeting decisions
Optimise performance
Phases
Plan, Data collection, Check performance, Action for
improvements
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Implementation - Performance measurement
processes
Examples
Better use of bandwidth
Lower non-compliances with internal standards
Lower cost and efficiency of processes
Reduced complaints
Better quality
Lower errors
Improved staff productivity
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
QUALITY MANAGEMENT PROCESSES
What is Quality Management?
 It is a system of
 Processes and activities considered
necessary
 in order to plan , develop, monitor and
improve a product or service
 in an effective and efficient manner
 in order to meet the stated requirements

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
ISO
ISO – word derived from ISOS or ISO
which in Greek and French, both means
equal
 Equal means– it must contain uniform or
standard characteristics
 ISO stands for The International
Organisation for Standardisation founded
in 1946 and is based in Geneva,
Switzerland

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
ISO Certification
ISO is not responsible for certification,
 Certification is actually done by over 750
accredited certifying organisations in the
world.
 Certification is not mandatory- its
requirement of a client or organisation

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Technical Standards in early times
ISO
Number
ISO 216
Explanation
ISO 838
Punching filing holes into papers
ISO 2108
International Standard Book Numbering
(ISBN)
Identification cards- Physical characteristics
ISO 7810
ISO 7816
Paper sizes
Identification cards Integrated Circuit
cards
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Technical Standards in early times
ISO
Number
Explanation
ISO 9899
C Programming language
ISO/IEC
10026
Open System Interconnection
ISO/IEC
11179
Information technology-metadata registries
ISO 15930
Portable Document format(PDF)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
ISO- two generic standards
ISO 14000 series: This series deals
with Environment Management
System9s.
 ISO 9000 series: Deals with QMS
(Quality Management systems).

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
ISO 9000 series
Objective:
It gives confidence to the management
and its customers, that it is in control of
the way it conducts its business.
It
prescribes what standards the
organisation
should
met,
leaving
organisation free to conduct and organize
their business processes as they wish
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
ISO 9000
 Certification
 The
Certification is valid for 3
years subject to the periodic
assessments by the certifying
bodies like British Standard
Institute, Det Norske Veritas,
Bureau Veritas (BVQI) etc
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
ISO 9000:2000
Provides the starting point for
understanding the standard and
it defines the fundamental
terms and definitions used.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
ISO 9001:2000
This deals with the requirements i.e understanding
the standards for Quality management systems. It
stresses on :
1. Managing and measuring performance in all
spheres in the organisation.
2. The
need for a documented quality
management system in all areas like quality
manuals, human resources, purchasing etc. It
enables each individual organisation to decide
on the minimum amount of documentation
required to demonstrate the effective planning,
operation & control of its processes.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
ISO 9001:2000
Based on Eight Management Principles
1. Customer focus
2. Leadership
3. Involvement of people
4. Process Approach
5. System Approach to management
6. Continual Improvement.
7. Factual Approach to Decision making
8. Mutually beneficial Supplier relationship
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
ISO 9004:2000
This provides guidance on the
Quality management systems and
concepts for continuous process
improvements
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
ISO 9126- Software Quality Model
This is an international Standard for
evaluation of quality of software products
which include source code, executables,
architectural descriptions etc.
This standard is divided into 4 parts
ISO 9126-1
ISO 9126-2
ISO 9126-3
ISO 9126-4
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
ISO 9126-1 Quality Model
This part classifies the software quality in a
structured set of six attributes and several
subrelated sub attributes as follows:
Functio Are the required functions
nality
available in the software?
Sub
Suitability, Accuracy,
attribute Interoperability, Compliance,
s
Security
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
2.
Is the software capable enough
Reliability to maintain its level of
performance?
Sub
Maturity, Recoverability, Fault
Attributes Tolerance
3. Usability
Is the software easy to use?
Sub
Attributes
Learnability, Understandability,
Operability
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
4. Efficiency
Does the software use the least
amount of resources?
Sub-Attributes Time behaviour and resourse behaviour
5.Maintainabilit Can the software be modified easily?
y
Sub-Attributes Stability, Analysability, Chargeability,
Testability
6. Portability
Can the software be easily transferred
from one environment to another?
Sub-Attributes Installability, Replaceability, Adaptability,
Conformance
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
ISO 9126-2 External Metrics: This
metrics apply to running software
ISO 9126-3 /internal Metrics: These are
statistics that do not rely on software
execution
ISO 9126-4 Quality in Use matrics
These are available only when the final
product is used in real life conditions
Ideally the internal quality determines the
external quality and external quality
determines the quality in use.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
The Software Capacity Maturity
Model (CMM)
Initially developed by The Software Engineering
Institute of Carnegie Mellon University in 1986.
 The Project was funded by the US department
of Defence, in order to establish

standards for excellence in software
engineering.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CMM
Soon going to release:
ISO/IEC 25001:2007- software engineeringSoftware product Quality Requirements
and evaluation (SQuaRE)
ISO/IEC 25030:2007: Software engineeringSoftware product Quality Requirements
and
Evaluation
(SQuaRE)Quality
requirements
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CMM- Assumption
The basic Assumption of CMM is
that the quality of the software
product is a direct function of the
associated
development
and
maintenance processes.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CMM- Application
It is used by
organisation to:
the
software
development
Identify best practices required to assist them
in increasing the maturity of their processes
and
2. Develop the means to graduate towards a
culture of excellence in software engineering
and management, in order to achieve their
goals.
1.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Definition- Sourcing Processes
The procurement practices of an organisation
in order to find, evaluate and engage vendors of
goods and services are called Sourcing
Processes. It involves several activities
 Timely identification of assets
 Evaluation of product cost, performance and
delivery
 Quality needs
 Contract administration, guarantee.
 Reduction of vendor related costs

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Outsourcing
•
•
•
Contractual agreement to hand over control of part or
all of the functions of the IS department to an external
party
Reasons for outsourcing:
 Desire to focus on core activities
 Pressure on profit margins
 Increasing competition that demands cost savings
 Flexibility with respect to organization
Variants : Out- tasking , Co-sourcing
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
OUTSOURCING
•
Services which can be outsourced:
 Data entry
 Design and development
 Maintenance of existing applications
 Conversion of legacy applications to new
platforms
 Operating the help desk or call centre
 Operations processing
Data centre operations or maintenance
Back up operations
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
OUTSOURCING
•
•
Advantages of Outsourcing:
 Economies of scale
 Outsourcing vendors are more effective and
efficient
 Outsourcing vendors are more experienced with
wider array of problems, issues and techniques
Disadvantages/Risks of Outsourcing:
 Loss of internal IS experience
 Costs exceeding customer expectations
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
OUTSOURCING
•
Disadvantages/Risks of Outsourcing (continued):
 Loss of control over IS
 Vendor failure
 Deficient compliance with legal requirements
 Lack of loyalty toward customer
 Difficulty of reversing or changing outsourced
arrangements
 Disgruntled customers or employees
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
OUTSOURCING
•
Controlling the disadvantages/risks:
 Establish measurable & shared goals and rewards
 Use multiple suppliers
 Perform reviews
 Implementing short term contracts
 Ensuring adequate access and security controls
 Ensuring damage indemnification clause in contracts
 Adequate address of BCP and DRP measures
 Ensuring right to audit
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
OUTSOURCING
•
Steps in IS audit of Outsourcing:
 Review of contract and service level determined
 Review service provider’s documented procedures
 Review the monitoring process for compliance with
terms of SLA
 Check the compliance with cross-border legislation
 Check compliance of access control procedures and
security controls by the employees of service
provider
 Check the process of escalation in case of violation
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Personnel management
•
Personnel management relates to polices and
procedures:
Hiring Policies
 Promotion
Training
Scheduling and Time Reporting
 Performance Evaluation
Employees Handbook
 Termination
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
PERSONNEL MANAGEMENTHIRING POLICIES
•
•
Hiring practices are important to ensure effective and
efficient staff is chosen and compliance with legal recruitment
requirements.
Hiring Policies should include:
 Background checks
 Confidentiality agreements
 Formal documented job specification
Recruitment mix – internal/external. Internal is
important to maintain high morale and external is
important for inducting new knowledge.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
PERSONNEL MANAGEMENTHIRING POLICIES
 Non-compete agreements
 Conflict of interest agreements
 Training of Employees
 To address Control risks of Hiring:
o Staff unsuitability for Job
o Reference checks may not be carried out
o Temporary staff and third party staff risks
o Lack of awareness of confidentiality
agreements
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
PERSONNEL MANAGEMENTIndoctrination

These programs for staff are normally
given on or soon after joining in order to
ensure that the staff is made aware of the
organisation corporate culture and code
of conduct.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
PERSONNEL MANAGEMENTIndoctrination
The program should explain:
 The organisation policies and procedures
 Security policies and procedures
 Employer expectations, company
exceptions, employees benefits etc and
overtime rules.
 Prohibition of outside employment
 Performance appraisal process
 Emergancy procedure in case of fire etc
 Disciplinary proceddings

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
PERSONNEL MANAGEMENTPROMOTION POLICIES
•
Promotion policies should fair and understood by the
employees.
• Policies should be based on
•
 Objective criteria
 Fair
 Applied consistently
IS auditor to ensure – well defined policies and
procedures for promotion & organization’s adherence.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
PERSONNEL MANAGEMENTTRAINING
•

Regular training is important, particularly for IS
professionals due to rapid change of technology
and
 products
• Training ensures effective and efficient use of
resources
• Training to cover general management, project
management
 and technical aspects
• IS auditor to ensure :
 Training program covers all essential aspects
 Training is ensured across to all departments
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
PERSONNEL MANAGEMENTTRAINING
 Newly
joined employees are trained with in
specified time.
 Consistent awareness regarding key aspects of
security policy
 Proper maintenance of minutes of training
programs
 Ensuring improvement based on feedback
forms
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
PERSONNEL MANAGEMENTTRAINING- Secured Networks
•
•
•
•
•
Pls do not keep any un-solicited Files in your PC or
Shared Folders.
Pls do not download/install any unlicensed/freeware
software without proper approvals.
Do not keep any confidential data in the shared
folders.
Pls do not use Thumb Drives/Mini Hard Disks
without the permission of IT.
Keeping Songs, Personal Photographs, Personal
Video Files in the PCs/Laptops/Shared Drives is
strictly not allowed.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
PERSONNEL MANAGEMENTTRAINING- Secured Networks
•
•
•
•
•
•
•
Avoid Keeping business unethical files in your PC/
Laptops (film songs, personal video clips, personal
Photographs, etc.
Avoid downloading share/ freebies from Internet
and install.
Avoid installing unlicensed software/ driver files in
your PC/ laptop.
Avoid sharing of passwords among your friends.
Don’t use one User ID in multiple systems unless
authorized after submission of SOD.
Avoid misuse of data/ sharing of data with external
people without approval.
Avoid opening Mail attachments from unknown
sources
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
PERSONNEL MANAGEMENTSCHEDULE AND TIME REPORTING
•
•
•
•
Scheduling provides for more efficient
operation and use of computing resources
Time reporting facilitates monitoring of
Scheduling
Time reporting – excellent tool for IT
Governance : Helps in cost allocation and
KGI and KPI measurement
Provides basis for manpower planning
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
PERSONNEL MANAGEMENTPERFORMANCE EVALUATION
•
•
•
•
Most important after Training
Process should be objective and neutral
Helps to gauge employee aspirations and
satisfaction & identify problems
Should be extensively used for
identifying developmental/ training needs
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
PERSONNEL MANAGEMENTEMPLOYEE HANDBOOK
•
Employee handbook should contain:
 Security policies and procedures
 Company expectations
 Employee benefits
 Vacation policies
 Overtime rules
 Emergency procedures
 Disciplinary actions for : excessive leave, breach
of
confidentiality and/or security
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
PERSONNEL MANAGEMENTEMPLOYEE HANDBOOK
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
PERSONNEL MANAGEMENTVACATION POLICIES
•
•
•
Reduces the opportunity to commit
improper or illegal act by employee
Opportunity for others employees to learn
Re-energize the employee
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
PERSONNEL MANAGEMENTTERMINATION POLICIES
•
•
Written termination policies with clearly defined steps
Should definitely include :
Return of all access keys, ID cards and badges
Deletion/ Revocation of login IDs and passwords
Notification to appropriate staff and security
personnel
 Arrangements of final pay routines
 Performance of termination interview
 Return of all company property
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
DOCUMENTATION PROCESSES
Documentation is an important factor
affecting the time taken to complete a
project.
 Also to ensure that processes are
effective and efficient
 ISO 27001 and ISO 9001
 Legal, regulatory and contractual
requirements

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
DOCUMENTATION PROCESSES
It should exist for the primary functions
within the IS enterprise
 IS operations
 System Software
 H/w and s/w acquisition and maintainance
 Application s/w
 Management reporting
 Physical and logical reporting
 Time reporting
 Short and Long term planning
 Quality processes

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
MANAGEMENT
STRUCTURES
PROJECT
MANAGEMENT
LINE
MANAGEMENT
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
IS MANAGEMENT STRUCTURE
•
Two types of management structure
 Project Management Structure :
o Created to accomplish specific project
o Specific tasks and deliverables
o Specific start and end time
o Staff can be drawn from Line management structure
o IS auditors may be included for better controls and expertise
 Line management structure
o Responsible for regular business processes and operations
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Project Management
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
LINE MANAGEMENT
STRUCTURE
•
It normally deals with the daily routine
functions which are not related to projects.
• The main aim of IS management subsystem is to
ensure that the development, implementation ,
operation, and maintanance of the Information
Systems proceed in a planned and controlled
manner
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
LINE Management
Top Management /
Board of Directors
IS Management /
Chief Information
Officer
Application
Information
Processing (IP)
Manager
Systems
Development
Manager
Application
Systems
Analysts
Application
Programmers
DA/
DBA
Quality
Assur
Security
Computer
Operations
(See below)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Roles performed by Personnel in IS
department
CIO(Chief Information Officer)
 Roles and Responsibilities
 The CIO reports to the Chief Operating
Officer or the Board of Directors
 He is the overseer of all the IT activities
 He is not involved in day to day activitieshe focuses on Business, IT planning and
strategy.

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CIO(Chief Information Officer)
Controls:
 Regular interface with the BOD
 Training and other appropriate HR
controls
 Documentation of work
 Access should be granted on “need to
know”, “need to do” basis

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CIO(Chief Information Officer)
Risks
Inadequate interface with the top
management may result in the loss of
alignment with business and IT processes.
 This position may give him unrestricted
access to the system
 Inadequate background checking and
performance review may bring in
uncontrollable risks.

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Application System Development
Manager (ASDM)
Roles and responsibilities
To oversee the work of:
1. Application systems analyst
2. Application programmers, who design
develop and maintain new or existing
application programs

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Application System Development
Manager (ASDM)
Controls:
 Employ a competent and trusted person
by deploying the HR controls
 Regular interface with the CIO
 His work should be documented and
subject to regular reviews
 Access should be granted on a on “need
to know”, “need to do” basis

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Application System Development
Manager (ASDM)
Risks
 Inadequate communication with the CIO
may result in the loss of effectiveness and
efficiency
 Work may have not been documented
and subject to regular reviews
 Access may have been granted without
reference to his job needs

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Application System Analysts
Roles and responsibilities
 Responsible for designing the application
systems based on User specifications
 It results in the development of functional
specifications and other high level systems
design documents required by the
application programmers

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Application System Analysts
Controls:
 Employ a competent and trusted person
by deploying the HR controls
 His work should be documented and
subject to regular reviews
 Access should be granted on a on “need
to know”, “need to do” basis

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Application System Analysts
Risks
 Inadequate communication with the CIO
may result in the loss of effectiveness and
efficiency
 Work may have not been documented
and subject to regular reviews
 Access may have been granted without
reference to his job needs

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Application System Programmers
Roles and Responsibilities
 To develop new application systems
 Maintain the existing production systems
based on the design made by the
application systems analyst.

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Application System Programmers
 Controls
 Employ a
competent and trusted person by
deploying the HR controls
 He should not have access to live programs
and data
 he should work in test only environment
 he should not be allowed to have any
change control duties that would enable him
to say, modify a program and launch it in the
live environment without going through
change controls like quality control, security
and end user sign off.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Application System Programmers
Risks
The main risk are the manipulation of live
programs and the data in order to
perpetrate fraud

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Data Management


Data Administrator(DA)
Database Administrator(DBA)
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Data Administrator
Roles and Responsibilities:
 The role may be found in large IT
environments only
 He is responsible for the long term
planning of the data architecture and
management of data.
 It is basically a policy making and
administrative role.

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Data Administrator
The DA functions are to:
 Undertake strategic data planning,
determining user needs
 Specifying validation criteria for data
 Specifying new conceptual and external
schema definitions
 Specifying retirement policies for data
 Determining end user requirements for
database tools, testing and evaluating end
user database tools

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Data Base Administrator
Roles and responsibilities:
 Define, manage, create and retire the data
 Specify and change the physical data
definition
 Make the data available to the users
 Service the end user needs
 Maintain the database integrity
 Monitor database operations
 Set up new installations, perform upgrades
and migration

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Data Base Administrator
Select and implement database optimisation tools.
Test and evaluate programmer and optimisation
tools
 Implement database definition controls, access
controls, update controls and concurrency
controls
 Monitor database usage, collect performance
statistics and tune the database
 Define and initiate backup and recovery
processes and procedures
 Ensure security of the data
 Mediate between users in the case of conflicting
requirements


CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
DA and DBA
Controls
 Separate the duties of DA and DBA
wherever possible
 The DBA’s job profile and activities should
be approved by the management
 Access logs should be reviewed by an
independent person
 The use of the database tools should be
subject to defective controls
 Employ a competent and trusted person by
deploying the HR controls

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
DA and DBA
Controls
 He should be given appropriate training
in the latest DBMS tools and systems.
 He should not have any application
programming or end user responsibilities
 He should be prevented from accessing
live data in the databases

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
DA and DBA
Risks
The DBA is a very technical person who
can use the tools to access and modify
live data and programs in order to
perpetrate a fraud

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Quality Management
It includes:
 Formulate quality goals
 Implement standards
 Monitor, processes, reports and train
users
 Suggests programs for obtaining
improvement in the processes

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Quality Management
Roles and Responsibilities
a. Quality assurance manager
b. Quality Control Manager

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Quality Management
Controls
 Competent and trusted person
 Appropriate training
 He is a checker and not maker
 Report to CIO

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Quality Management
Risks
There will be impairment in quality
processes if:
 a person is allowed to carry out a quality
review of his own work
 Incompetent person are recruited due to
inadequate HR controls
 Quality management do not have
independence in their reporting function

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Security management
Roles and responsibilities:
Top management should demonstrate their
commitment to security by developing an
Information security management policy
within the characteristics of the Business,
its assets, its technology and the
organisation.
This includes DRP’s

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Security management
Controls
 He should report to CIO directly in order
to maintain his independence. In small
organisation where this is not possible, he
may report to the operations manager, in
which case some compensation controls like
monitoring and awareness shall apply.
 A competent and trusted person
 Training
 He is a Checker not the maker

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Security management
Risks
There will be an impairment in the security
management process if:
 the security manager is allowed to carry out
conflicting work like application
programming
 Imcompetent or dishonest persons may be
recruited due to inadequate HR controls
 The security manager does not have
independence in the reporting function.

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Technical Support Manager
Roles and Responsibilities:
He is responsible for seeing the following
technical support:
 Systems analyst
 Systems Programmer
 Systems Administrator
 Network Administrator
 End user support manager
• Controls:
• Competent person
• Risks:
• Incompetent or Dishonest persons

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Systems Analyst
Roles and Responsibilities:
 Designing of Operating system
 Responsible for designing System
Software
 They interpret users needs and develop
according to the users requirement.

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Systems Analyst
Controls:
 Competent and trusted person
 Activity to be recorded in the computer
logs
 Need to know , need to do basis
• Risks:
 Inappropriate HR controls
 If computer logs are not enabled, any
breach of security will remain undetected.

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Systems Programmer
Roles and Responsibilities
 Programers are responsible for
developing and maintaining the operating
systems and systems software designed
by the system analyst.
 They have complete access to the system
libraries

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Systems Programmer
Controls
 Competent and trusted persons
 Computer logs
 Need to know/ Need to do
 User of domain administration and
superuser accounts should be tightly
controlled and monitored

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Systems Programmer
Risks
 Inappropriate HR controls
 If computer logs are not enabled, any
breach of security will remain undetected

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Systems Administrator
Roles and Responsibilities
Every large organisations have LANs , each LAN will
require an administrator. The responsibilities and
function includes:
 creation and deletion of user accounts
 installation and maintanance of systems software.
Taking proactive virus prevention measures
 Allocating storage space
Maintenance of multi user computer systems
 Backups
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Systems Administrator
Controls:
 Employ competent and trusted person
 Computer logs
 Need to know/need to do basis
 He should not having any application
programming duties

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Systems Administrator
Risks
 Inappropriate HR controls as discussed
earlier may lead to employment of
persons who may be incompetent
 If the computer logs are not enabled than
any breach of security will remain
undetected

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Network Administrator
Roles and Responsibilities
 Responsible for the entire n/w of the
organization which may include LAN’s,
WAN’s and wireless communication
 N/w performance management, remote
access etc
 Technical and Administrative control over
the LAN

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Network Administrator
Controls
 Employ competent and trusted person
 Computer logs
 He should not having any application
programming duties

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Network Administrator
Risks:
 Inappropriate HR controls as discussed
earlier may lead to employment of
persons who may be incompetent
 He may breach the confidentiality,
integrity and availability of the data by
eavesdropping on the communication
between two nodes on the network or by
denial of service attack

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
End User Support Manager
 Roles
and responsibilities
Responsible for the liaison between
the end users and the IS department,
including the management of
helpdesk
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
End User Support Manager
 Controls
 Users complaints
should be alloted a
complaint number.
 The complaint should be forwarded to the
appropriate engineer
 All unresolved problem should be followed
up and closed by an independent person
 Competent and trusted staff should be
employed
 Complaints should be periodically
summarised
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
End User Support Manager
Risks
 Inappropriate HR controls as discussed
earlier may lead to employment of
persons who may be incompetent
 Computer logs if not enabled , the
resolution, frequency and nature of
complaints will remain undetected

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Operations Manager
Roles and Responsibilities
 Responsibility for computer operations
personnel including computer operators,
librarian, data entry personnel and
maintainance operators.
 They are also responsible for the physical
and data security of the department

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Operations Manager
Controls
Competent and trusted persons should be
employed
Only operations personnel should have
access to the operations department
Need to know/ need to do access principle
will apply
All operations and programming functions
should always be separated

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Operations Manager
Risks
 Incomoetent or untrustworthy persons
 Unauthorised access to the operations
centre may result in Breach of security

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Computer Operators
Roles and responsibilities
 They are responsible for schedulling and
allied activities in order to run the
computer system effectively and
efficiently.

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Computer Operators
Controls & Risks
Same as Operations manager discussed
above

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
LIBRARIAN
Roles and Responsibilities
He is the stock keeper of all data and
program files kept on storage media like
tapes and hard disks.
He is responsible for recording,
issue,receipt and maintanance of
computer files and the data.

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
LIBRARIAN

Controls:
Competent and trustworthy person
 keep a log of all files
 Provide for appropriate physical and
environmental controls in order to protect
the data from damage
 File Retention are maintained for all files
 Segregate sensitive files
 Onsite and offsite backups
 Files are up to date and have internal and
external file headers
 Software safety and license

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
LIBRARIAN
Risks
Incompetent or trustworthy staff
 Unauthorized access to the library may
result in breach of security

CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
CHECK

This stage involves analysing the data,
monitoring trends and comparision of
Actual Results against the Plan results
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Act

The purpose in this phase of the Deming
Cycle is to apply necessary actions in
order to bring about necessary
improvements. This may involve repeating
the PDCA cycle with changes , adopting
the change or abondoning it and restart
the planning Process.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Chapter 3
Auditing Information
Systems Organisation &
Management
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Auditing IS O & M
Checklists
Create a checklist of the areas to be covered which
leads
the IS auditor to ask the following questions:
•
Who
•
What
•
When
•
Where
•
Why
•
How
•
Show me
•
Tell me
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Auditing IS O & M
Checklist – Benefits
Determines the sample relevant to the audit.
Formalises the audit process by defining the audit
procedures.
Creating the checklist requires some amount of
research which helps in the auditor’s understanding
of the processes.
Helps in maintaining the pace of the audit.
Assists in keeping the audit objectives clear.
Acts as a historical record which can be used as an
internal cross reference to the audit report.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Auditing IS O & M
Checklist – Benefits
◦ Reduces the auditor’s workload.
◦ Assures a degree of auditor professionalism.
◦ Ensures that the auditor is aware of the processes to
be audited.
Checklist – Disadvantages
◦ May become a tick list of YES/NO answers only.
◦ If the process is not in the checklist it may not be
covered during the audit.
◦ It may reduce initiative and proper analysis of the
processes.
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Auditing IS O & M
Read / Review Documentation
• IT Strategies , Plans, Budgets
• Security Procedures
• Organisation Charts
• Paper Job Descriptions
• New Projects
• New HW/SW
• HRD Policies etc.
• Operations Manuals
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Auditing IS O & M
Read / Reviewing Contractual
Commitments
•Development of contract requirements
•Contract bidding process
•Contract selection process
•Contract acceptance
•Contract maintenance
•Contract compliance
•Legal Clearance
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Auditing IS O & M
Inspect , Interview and Observe processes
and personnel in the performance of duties
• Actual Functions
• Security Awareness
• Reporting Relationships
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Auditing IS O & M
Test
•Policies
•Processes
•Procedures
•Paper / electronic records to collect and evaluate
evidence
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Chapter 2 Q n A
3. Which of the following statements is
FALSE?
(a) Management is the art of getting things done in
order to meet the objectives of the organisation
(b) Successful management is built on empowering
people with responsibility and authority
(c) Management must determine the goals of the
organisation based on customer needs
(d) Effectiveness precedes efficiency in successful
management
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Chapter 2 Q n A
4. Which of the following statements is
FALSE in connection with planning?
(a) It involves deciding in advance what should
be done amongst other things
(b) It is an action statement
(c) It should be entrusted to the IS steering
committee only
(d) It is best practice applicable to the private
sector only
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Chapter 2 Q n A
5. Which of the following statements is
FALSE in connection with the IS steering
committee?
(a) It oversees IS activities
(b) It should be chaired by a non-technical
board member
(c) It should have representation by user
management
(d) Its meetings should be minuted
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Chapter 2 Q n A
6. Which of the following statements is
FALSE in connection with strategic
planning?
(a) Such plans have a time span of less than one
year or one business cycle
(b) The projects to be completed are clearly
defined
(c) The plans have a strong link with
organisational goals
(d) The plans are approved before
implementation
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Thank You
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
See you tommorrow.. Have a nice evening
CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)

similar documents