CertifiedInformation
C I SA Systems Auditor' Chapter 2—Governance and Management of IT
ISACX COW ad=
environment and even more complex in a third-party relationship.
Typical governance activities such as goal setting, policy and
standard development, defining roles and responsibilities, and
managing risk must include special considerations when dealing
with cloud technology and its providers.
As with all organizational changes, it is expected that some
adjustments will need to be made to the way business processes are
handled. Business processes such as data processing, development
and information retrieval are examples of potential change areas.
Additionally, processes detailing the way information is stored,
archived and backed up will need revisiting.
The cloud presents many unique situations for businesses to
address. One large governance issue is that business unit personnel,
who were previously forced to go through H' for service, can now
bypass IT and receive service directly from the cloud. Policies
must be modified or developed to address the process of sourcing,
managing and discontinuing the use of cloud services.
The responsibility for managing the relationship with a third
party should be assigned to a designated individual or service
management team. In addition, the organization should ensure that
the third party assigns responsibilities for checking for compliance
and enforcing the requirements of the agreements. Sufficient
technical skills and resources should be made available to monitor
whether requirements of the agreement, in particular the information
security requirements, are being met. Appropriate action should be
taken when deficiencies in the service delivery are observed.
The organization should maintain sufficient overall control and
visibility into all security aspects for sensitive or critical
information or information processing facilities accessed,
processed or managed by a third party. The organization should
ensure that they retain visibility in security activities such as change
management, identification of vulnerabilities and information
security incident reporting/response through a clearly defined
reporting process, format and structure. When outsourcing, the
organization needs to be aware that the ultimate responsibility for
information processed by an outsourcing party remains with the
organization.
MANAGING CHANGES TO THIRD-PARTY SERVICES
Changes to the provision of services, including maintaining and
improving existing information security policies, procedures and
controls, should be managed taking into account the criticality of
business systems and processes involved and reassessing risks.
The process of managing changes to a third-party service needs
to take into account:
 Changes made by the organization to implement:
– Enhancements to the current services offered
– Development of any new applications and systems
– Modifications or updates of the organization's policies and
procedures
– New controls to resolve information security incidents and to
improve security
– Updates to policies, including the IT security policy
 Changes in third-party services to implement:
– Changes and enhancements to networks
Section Two: Content
– Use of new technologies – Adoption of new products or
newer versions/releases – New development tools and
environments
– Changes to physical location of service facilities – Change
of vendors or subcontractors
Service improvement and User Satisfaction
SLAs set the baseline by which outsourcers perform the IS function.
In addition, organizations can set service improvement expectations
into the contracts with associated penalties and rewards. Examples
of service improvements include:
 Reductions in the number of help desk calls
 Reductions in the number of system errors
 Improvements to system availability
Service improvements should be agreed on by users and IT with
the goals of improving user satisfaction and attaining business
objectives. User satisfaction should be monitored by interviewing
and surveying users.
2.9.3 ORGANIZATIONAL CHANGE MANAGEMENT
Organizational change management involves use of a defined
and documented process to identify and apply technology
improvements at the infrastructure and •pplication level that are
beneficial to the organization and involve all levels of the
organization impacted by the changes. This level of involvement
and communication will ensure that the IS department fully
understands the users' expectations and changes are not resisted
or ignored by users once implemented.
The IS department is the focal point for such changes by leading
or facilitating change in the organization. This includes staying
abreast of technology changes that could lead to significant business
process improvements and obtaining senior management
commitment for the changes or projects that will be required at the
user level.
Once senior management support is obtained to move forward with
the changes or projects, the IS department can begin working with
each functional area and their management to obtain support for the
changes. In addition, the IS department will need to develop a
communication process which is directed at the end users to update
them on the changes, the impact and benefit of the changes, and
provide a method for obtaining user feedback and involvement.
•
User feedback should be obtained throughout the project, including
validation of the business requirements and training on and testing
of the new or changed functionality.
2.9.4 FINANCIAL MANAGEMENT PRACTICES
Financial management is a critical element of all business functions.
In a cost-intensive computer environment, it is imperative that sound
financial management practices are in place.
The user-pays scheme, a form of chargeback, can improve application
and monitoring of IS expenses and available resources. In this scheme
the costs of IS services—including staff time, computer time and other
relevant costs—are charged back to the end users based on a standard
(uniform) formula or calculation.
CISA Review Manual 2014 105
ISACA. All Rights Reserved.