Enterprise Architecture Exam 1

What is enterprise architecture?

The engineering and structure of an enterprise's mission, organizations, functions and database domains that are extended and/or integrated with other technical architectures ( hardware, business info systems, and business events)

What are the elements of EA?

1.) Governance

2.) Principles

3.) Method

4.) Tools

5.) Standards

6.) Value

7.) Reporting

8.) Audit

What are components of EA?

changeable goals, processes, standards, and resources which can be extended to specific line of business

What are the types of EA components and which areas do they cover

1.) Vertical Component: serves one line of business

2.) Horizontal (crosscutting) Component: serves several lines of business

What is current EA and what does it do?

1.) What is it?

- Contains components currently existing in EA

- Consists of artifacts (documentation, spreadsheet, charts etc.)

- Referred to as "As-is" view

2.) What does it do?

- Creates baseline of inventory

- Assists in predicting future plans, project planning, asset management, and decision making

- Finds gaps in current architecture

What is future EA and what areas does it focus on?

What is it?

- The outline of EA after the current deficiencies in performance have been identified and adjusted for

- Changes can be short term (1-2 yrs) or long term (3-10 yrs)

What areas?

- Strategical and tactical

- New direction and goals

- Changing business priorities

- Emerging technologies

What are the 7 main policies in EA?

1.) Data Classification

2.) System Classification

3.) Site Classification

4.) Access Control

5.) Mobile Device

6.) Social Media

7.) Other

What is Data Classification Policy?

Defines:

- Degrees of sensitivity for various types of information used

- At least 2 data classification levels (top secret, secret, sensitive, public)

- Policies and procedures for handling of info in various settings at these levels

What is System Classification Policy?

- Establishes levels of system security

- Help organization to be more deliberate with system hardening standards (sensitive info stored with highest level of hardening)

What is Site Classification Policy?

Defines levels of physical security for an organization's work sites

What is Access Control Policy?

- Defines need for specific process and procedures related to granting, review, and revocation of access to systems

- Often a linkage between a data classification policy and access control policy (stricter access controls protecting most sensitive info)

What is Mobile Device Policy?

Defines use of mobile devices and personally owned devices in context of business operations

What is Social Media Policy?

Defines employee's use of social media

What makes up the other policies?

- Equipment control: Addresses appropriate use of IT and equipment

- Data destruction: Defines acceptable and required methods for disposal of info

- Moonlighting: Addresses outside employment (second job)

- Intellectual property: Ownership of intellectual property that is created, accessed, or used

What questions guide the Governance duties?

1.) Is it big?

2.) Is it about the future?

3.) Is it core to the mission?

4.) Is a high-level policy decision needed to resolve a situation?

5.) Is a red flag flying?

6.) Is a watchdog watching?

7.) Does the CEO want and need the board's support?

What is the difference between IT governance and IT management? (general)

Governance: Determines strategic direction

Management: Takes the strategic direction and translates it into actions

What is IT governance?

Collection of top down activities intended to control the strategic part from the business perspective

What are the products/activities in IT governance?

1.) Policy - should directly reflect missions/goals of org

2.) Priorities - IT priorities should flow from overall org priorities

3.) Standards - help drive a consistent approach to business challenges in cost-effective and secure manner

4.) Vendor Management - Suppliers that IT governance selects

5.) Program and Project Management - IT programs and projects should be performed in ways that reflect priorities

Why is an IT balance scorecard used?

To measure effectiveness and progress

What are the 4 perspectives of IT balance scorecard?

1.) Business Contribution - IT department effectiveness and value as seen from non-IT executives

2.) User - End user satisfaction rate with systems and support

3.) Operational Excellence - # of support cases, amount of unscheduled downtime, and defects reported

4.) Innovation - Rate at which new technologies are used to increase IT value and training made available for staff

What are the two types of EA models?

1.) Zachman Model

2.) Data Flow Diagram

What is the Zachman Model?

- A high level overview of EA that gets increasingly more detailed as you dive deeper into specific areas of EA

- Allows orgs to view cross-sections of an IT environment supporting business processes

- Does not convey relationships between IT systems

What is the Data Flow Diagram?

- Diagrams that show the flow of info between IT applications

- Like Zachman, DFDs can be high level overviews but can be accompanied by written specifications that allow deeper insight into each aspect of the EA

What is the purpose of Policy, Processes, Procedures, and Standards?

Defines IT organizational behavior and uses of technology

What do policies do for an organization?

State what must be done (or not done)

What topics do IT policies cover?

1.) Roles and responsibilities - matching roles and responsibilities with a responsible position

2.) Developmental practices - define the processes used to develop and implement software

3.) Operational practices - defines high level processes that constitute IT operations

4.) IT processes, documents, records - Defines certain processes and how documents and records are stored

What is security policy and which areas does it cover?

Defines how an organization will protect its important assets

1.) Roles and responsibilities

2.) Risk management - how to identify risk

3.) Security processes

What is privacy policy and which areas does it cover?

Describes how to treat info related to a private citizen

1.) Protecting private info - what info is obtained and how it is protected

2.) Handling private info - How private info is handled and transmitted

What are SOP's and what are their purpose?

- Standard Operating Procedures

- Describe in step-by-step detail how IT processes are performed consistently and correctly

What meta data must be contained in a procedure document?

1.) Document revision info - the name of the person who made the last edit and the location of the official document

2.) Review and approval - name or names of last manager to review the document and last manager to approve the document

3.) Dependencies - Specifies other related procedures that are dependent on this procedure or others that this procedure is dependent on

What are IT standards?

Approved statements that define the tech, protocols, suppliers, and methods use by IT organization with the intention to drive consistency

What are the 6 IT standards?

1.) Technology standards - specify the software and hardware used

2.) Protocol standards - specify org protocols

3.) Supplier standards - specifies which suppliers and vendors are used for various types of supplies and services

4.) Methodology standards - The practices used in various processes (software dev, system administration, network engineering, end-user support)

5.) Configuration standards - refers to specific configurations applied to servers and other applications

6.) Architecture standards - technology arch at database, system, and network level

What is Risk Management?

- Activities that seek, identify, and manage risks that are associated with operations and systems where unwanted risk is possible

- Lifecycle with no beginning or end that examines processes, records, and systems

What are the possible actions after a risk is identified?

1.) Accept - accept risk as is

2.) Mitigate - take action to reduce risk

3.) Transfer - org shares risk with another entity (insurance)

4.) Avoid - discontinue activity associated with risk

What is risk analysis?

- Individual risks being identified and the threats and impact associated with each asset

- the intersection of threats, vulnerability, and impact

What is threat analysis?

- Identifying threats to an asset by listing all threats that have some realistic probability to occur

What is vulnerability analysis?

- examination of an asset in order to discover weaknesses that could increase chances of a threat

What is the difference between Risk analysis, Threat analysis, and Vulnerability analysis?

- Threat analysis examines the possible threats

- Vulnerability analysis examines the weaknesses of an asset to find possible contact points for a threat

- Risk analysis uses the vulnerability of a threat and pairs it with the possible impact to discover the true risk that a threat presents

What is probability analysis?

Examining the probability of a threat to occur

What is the difference between threat analysis and probability analysis?

- Threat analysis details the possible risks but not the probability of them

- Probability analysis assigns a likelihood of a threat actually occurring

What is residual risk?

- Risk leftover from original risk after some risk has been removed by means of mitigation or transfer

- OG risk - Mitigated risk - Transferred risk = Residual risk

What are standard IT management practices?

Primary services are developmental but need the support of secondary services to work correctly

What are the secondary services in standard IT management?

1.) Personnel management - Hiring, Training, Performance eval, Career path help

2.) Sourcing - Deals with selecting personnel (in house, outsource, hybrid) and where they will work

3.) Change management - Control the changes made to an IT environment

4.) Financial management - short-term and long-term budget planning and software acquisition decision making

5.) Quality management - methods by which business processes are controlled, monitored, and managed to bring about continuous improvement

6.) Security management - several activities that work to identify risks and risk treatment

7.) Performance and capacity management

What are the Quality management components?

1.) Documented processes - tasks, records, data flows must be described in formal documents

2.) Key measurements - allows managements to understand frequency and effort expended for process

3.) Review of key measurements - Key measurements need to be regularly analyzed and included in reports

4.) Audits - Ensuring processes are being operated properly

5.) Process changes - when key measurements suggest a change, an analyst will make changes to process

Why is it important to segregate duties?

Ensures that single individuals don't posses excess privileges that could result in unauthorized activities such as fraud or exposure of sensitive data

Importance of Audit Management

Audits must be managed so an audit charter, strategy, and program can be established

What is an audit charter?

Clear definition of roles and responsibilities that are consistent with ISACA audit standards

In general, what are ISACA audit standards?

Defines the minimum standards of performance related to security, audits, and actions that result from audits

What are the specific ISACA audit standards?

1.) Audit Charter - audit activities formally defined

2.) Independence - behavior of IS (info systems) auditor should be independent of auditee

3.) Professional Ethics and Standards - IS auditor adheres to ISACA standards

4.) Professional Competence - IS auditor posses skills and knowledge related to the processes and tech being audited

5.) Planning - IS auditor plans audit to ensure auditing scope and breadth meets organization's needs

6.) Performance and Audit Work - auditors should be supervised and work should be documented

7.) Reporting - develop audit report to document findings and conclusions with supporting evidence

8.) Follow-Up Activities - Auditor follows up to determine if org has taken the recommended steps

What are internal controls?

Policies, procedures, systems, and other measures designed to reduce risk

What are the three areas of internal controls? (3D Cube of Controls)

1.) Type of Control

2.) Classes of Control

3.) Categories of Control

What are the 3 Types of Control?

1.) Physical - tangible controls (video surveillance, fences)

2.) Technical - information systems, typically intangible (encryption, computer access)

3.) Administrative - policies and procedures that require or forbid certain activities (forbid personal use of info systems)

What are the 6 Classes of Control?

1.) Preventative - prevents and unwanted event (computer login screen)

2.) Detective - record both wanted and unwanted events. Cannot enforce activity, just record. (video)

3.) Deterrent - convincing someone to not perform an unwanted activity (warning signs)

4.) Corrective - occurs after unwanted event occurs. (fixing defective process)

5.) Compensating - used when another form of control cannot be used (video used b/c poor keycard system)

6.) Recovery - restore system or asset to pre-incident state (tool to remove virus from computer)

What are the 2 Categories of Control?

1.) Automatic - control is performed with little or no human judgement or decision making (login page)

2.) Manual - requires human to operate. May be subject to higher rate of error

What is an internal control objective?

Statement of desired states or outcome from business operations

What are the internal control objectives?

1.) Protection of IT assets

2.) Accuracy of transactions

3.) Confidentiality

4.) Availability of IT systems

5.) Controlled changes to IT systems

6.) Compliance with corporate policies

What factors result in a need to perform an audit?

1.) Organization strategic goals and objectives - goals translate to every department within an org. The business processes and tech will have controls that need to be audited

2.) New organization initiatives - new products, services, delivery methods can be seen in similar light as a goal

3.) Market conditions - audits can provide a competitive edge if market conditions change and an org wants to prove their safety and quality

4.) Changes in tech - processes and controls directly affected by change in tech can then affect previous audit procedures

5.) Changes in regulatory requirements - maintaining compliance with new regulations may require a change to the audit program

What is an audit?

systematic and repeatable process where an independent professional evaluates one or more controls, interviews personnel, obtains and analyzes evidence, and writes opinion on effectiveness of the controls

What are the steps to perform an audit?

1.) Purpose - establish reason the audit is being performed

2.) Scope - determine the scope (time period, geography, tech, processes)

3.) Risk Analysis - understand which areas need most attention (need to know domain wide risk, and risk of each aspect in domain)

4.) Audit Procedures - define the procedures required to perform audit

5.) Resources - determine the resources needed for the audit

6.) Schedule - create audit schedule

What are an audit's objectives?

Determine if controls exist and are effective in a specific aspect of business operations

What are the 9 types of audit?

1.) Operational

2.) Integrated

3.) Financial

4.) Info Systems

5.) Administrative

6.) Compliance

7.) Forensic

8.) Service Provider

9.) Pre-audit

What is a financial audit?

- Examination of the organization's accounting system (processes and procedures)

- Determine if business controls are sufficient to ensure integrity

What is a compliance audit?

Determines the level of compliance to a law, regulation, standard, or internal control

What is service provider audit?

Determines the credibility and integrity of third party service organization's that were used as outsourcing for an org

What is the difference between internal and external auditing?

Internal - examine issues related to business practices and risks

External - examine financial records

What is compliance testing?

Determines if control procedures have been properly designed and implemented and if they are operating properly

What is substantive testing?

Determines the accuracy and integrity of transactions that flow through processes and info systems

What is the difference between compliance and substantive testing?

- Compliance testing tests that controls themselves have been set up correctly and working

- Substantive testing tests how the controls handle the info that are passed through them

Why is audit evidence important?

- The evidence obtained during the audit is used by the IS auditor to reach conclusions on effectiveness of controls

- Faulty evidence results in faulty conclusion

What is statistic sampling?

random selection used that will statistically reflect the entire population

What is judgmental sampling?

IS auditor judgmentally and subjectively selects samples based on established criteria (ex. risk)

What is attribute sampling?

- Study the characteristics of a given population to answer "how many?"

- mostly selected after statistical sampling

What is variable sampling?

- Study characteristics of a given population to answer "how much?"

What is Stop or Go sampling?

Used to allow sampling to stop at earliest possible time

(if auditor feels there is low risk)

What is discovery sampling?

Used when auditor trying to find at least one exception in the population. (used when even one exception is high risk)

What is stratified sampling?

population divided into classes based upon value of one of the attributes

Why is computer assisted audit needed?

- To assist in complex information

- IS auditors can use generalized audit software (GAS) to read and access data from database platforms

- Independently and directly acquire sample data from databases

- better understand data sets, enabling determination of integrity and accuracy of a system

Explain the self assessment life cycle

1.) Identify and assess risks

2.) Identify and assess controls

3.) Develop questionnaire or conduct workshop - collect opinions and ideas for risk remediation

4.) Analyze results from step 3 - determine which ideas are viable

5.) Control remediation - controls are designed or altered based on the workshop or questionnaire

6.) Awareness training - takes place during ever phase of the life cycle to keep personnel informed

How are audit procedures and audit objectives related?

- The purpose and scope of the audit may define the procedures that are required to perform audit