Cisa 2013 ch2

Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
 Introduction
 IT Governance
 Information Security Governance
 Enterprise Architecture and IT Management
 Business Continuity Planning
 Summary
3

 Provide assurance that the necessary leadership
and organizational structures and processes are
in place to achieve objectives and to support the
organization’s strategy
5

 Evaluate the effectiveness of the IT governance structure to determine whether IT
decisions, directions and performance support the organization’s strategies and
objectives.
 Evaluate IT organizational structure and human resources (personnel) management to
determine whether they support the organization’s strategies and objectives.
 Evaluate the IT strategy, including the IT direction, and the processes for the strategy’s
development, approval, implementation and maintenance for alignment with the
organization’s strategies and objectives.
 Evaluate the organization’s IT policies, standards, and procedures, and the processes for
their development, approval, implementation, maintenance, and monitoring, to
determine whether they support the IT strategy and comply with regulatory and legal
requirements.
 Evaluate the adequacy of the quality management system to determine whether it
supports the organization’s strategies and objectives in a cost-effective manner.
 Evaluate IT management and monitoring of controls (e.g., continuous monitoring, QA)
for compliance with the organization’s policies, standards and procedures.
6

 Evaluate IT resource investment, use and allocation
practices, including prioritization criteria, for alignment
with the organization’s strategies and objectives.
 Evaluate IT contracting strategies and policies, and
contract management practices to determine whether
they support the organization’s strategies and objectives.
 Evaluate risk management practices to determine whether
the organization’s IT-related risks are properly managed.
 Evaluate monitoring and assurance practices to determine
whether the board and executive management receive
sufficient and timely information about IT performance.
 Evaluate the organization’s business continuity plan to
determine the organization’s ability to continue essential
business operations during the period of an IT disruption.
7

 Knowledge of IT governance, management, security and control
frameworks, and related standards, guidelines, and practices
 Knowledge of the purpose of IT strategy, policies, standards and
procedures for an organization and the essential elements of each
 Knowledge of organizational structure, roles and responsibilities related
to IT
 Knowledge of the processes for the development, implementation and
maintenance of IT strategy, policies, standards and procedures
 Knowledge of the organization’s technology direction and IT
architecture and their implications for setting long-term strategic
directions
 Knowledge of relevant laws, regulations and industry standards
affecting the organization
 Knowledge of quality management systems
 Knowledge of the use of maturity models
 Knowledge of process optimization techniques
8

 Knowledge of IT resource investment and allocation practices, including
prioritization criteria (e.g., portfolio management, value management,
project management)
 Knowledge of IT supplier selection, contract management, relationship
management and performance monitoring processes including third
party outsourcing relationships
 Knowledge of enterprise risk management
 Knowledge of practices for monitoring and reporting of IT performance
(e.g., balanced scorecards, key performance indicators [KPI])
 Knowledge of IT human resources (personnel) management practices
used to invoke the business continuity plan
 Knowledge of business impact analysis (BIA) related to business
continuity planning
 Knowledge of the standards and procedures for the development and
maintenance of the business continuity plan and testing methods
9

IT Governance
 The set of responsibilities
and practices exercised by
the board and executive
management with the goal
of:
 Providing strategic direction
 Ensuring that objectives are
achieved
 Ascertaining that risks are
managed appropriately
 Verifying that the enterprise’s
resources are used responsibly
Governance
 The framework, principles,
structure, processes and
practices to set direction and
monitor compliance and
performance aligned with the
overall purpose and objectives.
Applicable to all governance
views.
 Defines accountability,
responsibility and decision
making (among other elements).
11

Corporate
Governance
IT
Governance
Information
Security
Governance
Outsourcing
SOA
12

Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC 13
Enterprise Strategy
IT/ InfoSec Strategy
Action Plan
Program
Set of ProjectsPolicies
Procedures
Architecture
Roles and Responsibilities
Metrics
Standards
Guidelines

Governance
 Ensures that enterprise
objectives are achieved by
evaluating stakeholder
needs, conditions and
options; setting direction
through prioritisation and
decision making; and
monitoring performance,
compliance and progress
against agreed-on direction
and objectives (EDM).
Management
 Plans, builds, runs and
monitors activities in
alignment with the direction
set by the governance body to
achieve the enterprise
objectives (PBRM).
14

 Governance, Risk Management and Compliance
 An increasingly used ‘umbrella term’ that covers
these three areas of enterprise activities
 These areas of activity are progressively being
more aligned and integrated to improve
enterprise performance and delivery of
stakeholder needs.
15

 Governance
 Exercise of authority; control; government; arrangement.
 Risk (management)
 Hazard; danger; peril; exposure to loss, injury, or
destruction (The act or art of managing; the manner of
treating, directing, carrying on, or using, for a purpose;
conduct; administration; guidance; control)
 Compliance
 The act of complying; a yielding; as to a desire, demand, or
proposal; concession; submission
Webster’s Online Dictionary
16

 Enterprises are governed by generally accepted good or
best practices, the assurance of which is provided by
certain controls. From these practices flows the
organization’s direction, which indicates certain activities
using the organization’s resources.
 The results are measured and reported on, providing input
to the cyclical revision and maintenance of controls.
 IT is also governed by good or best practices that ensure
that the organization’s information and related technology
support its business objectives, its resources are used
responsibly, and its risks are managed appropriately.
17

 IT governance is the responsibility of the board of
directors and executive management
 Effective enterprise governance focuses
individual and group expertise and experience on
specific areas where they can be most effective
 IT governance is concerned with two issues:
 IT delivers value to the business
 IT risks are managed
18

 COBIT
 Developed by ISACA 10 support IT governance by providing a framework to
ensure that: 'IT is aligned with the business, IT enables the business 'and
maximizes benefits, IT resources are used responsibly~ and IT risks 'are
managed appropriately, COBIT provides tools to assess and measure the
performance of 34-IT processes within 1m organization.
 The ISOIIEC 27001 (ISO 27001) series of standards
 A set of best practices. that provides guidance to organizations
implementing and maintaining information security programs. ISO 27001
originally was published in UK ,r, British Standard 7799 (BS7799) and has
become a well known standard in the industry
 The IT Infrastructure Library (ITIL)
 Developed by the UK Office of Government Commerce (OGC), in
partnership with the IT Service Management Forum, and is a detailed
framework with hands-on information regarding how to achieve successful
operational service management of IT.
19

 The IT Baseline Protection Catalogs, or IT-Grundschutz Catalogs
 (known prior to 2005 as the IT Baseline Protection Manual) are a collection of
documents from {he German Federal Office for Security in Information Technology
(FSI) . The documents are use full for detecting and combating security weak points
in the IT environment. The collection encompasses over 3,000 pages.
 The Information Security Management Maturity Model (ISM3)
 A process-based ISM maturity model for security.
 AS8015-2005
 Australian standard for corporate governance of information and communications
technology, A880 t5 was adopted as ISO/IEC 38500 in May 2008.
 ISOIIEC 38500:2008 Corporate governance of information technology
 (very closely based on AS8015-2005) provides a framework for effective governance
of IT. ISOIIEC 38500 assists ·those at the highest organizational level to understand
and fulfill their legal, regulatory and ethical obligations in respect to their
organizations' use of IT. ISO/IEC 38500 is applicable to organizations of all sizes,
including public and private companies, government entities and not-for-profit
organizations, This standard provides guiding principles for di rectors of
organizations 0 11 the effective, efficient and acceptable use of IT within their
organizations.
20

 Demands for better return from IT investments
 Increases in IT expenditures
 Regulatory requirements for IT controls
 Selection of service providers and outsourcing
 Complexity of network security
 Adoptions of control frameworks
 Benchmarking
22

 Audit plays a significant role in the successful implementation of IT
governance within an organization
 Reporting on IT governance involves auditing at the highest level in the
organization and may cross division, functional or departmental
boundaries
 Assess the following:
 The importance of IT strategic planning, and importance of a strategic
planning process or planning framework
 The IS function’s alignment with the organization’s mission, vision, values,
objectives and strategies
 The IS function’s achievement of performance objectives established by the
business (effectiveness and efficiency)
 Legal, environmental, information quality, and fiduciary and security
requirements
 The control environment of the organization
 The inherent risks within the IS environment
23

 From IS standpoint, it relates to the long-term
direction an organization wants to take in
leveraging information technology for improving
its business processes
 Effective IT strategic planning involves a
consideration of the organization’s demand for IT
and its IT supply capacity
 Consider how the CIO or senior IT management
are involved in the creation of the overall
business strategy
24

 The creation of an IT strategy committee is an
industry best practice
 Committee should broaden its scope to include
not only advice on strategy when assisting the
board in its IT governance responsibilities, but
also to focus on IT value, risks and performance
26

 An organization’s senior management should
appoint a planning or steering committee to
oversee the IS function and its activities
 A high-level steering committee for information
technology is an important factor in ensuring
that the IS department is in harmony with the
corporate mission and objectives
27

 A process management evaluation technique
that can be applied to the IT governance process
in assessing IT functions and processes
 Method goes beyond the traditional financial
evaluation
 One of the most effective means to aid the IT
strategy committee and management in
achieving IT and business alignment
29

 Focused activity with specific value drivers
 Integrity of information (Integrity)
 Continuity of services (Availability)
 Protection of information assets (Confidentiality)
 Integral part of IT governance
 Importance of information security governance
 Information security (Infosec) covers all information
processes, physical and electronic, regardless of whether
they involve people and technology or relationships with
trading partners, customers and third parties.
 Infosec is concerned with all aspects of information and its
protection at all points of its life cycle within the
organization.
31

 Effective information security can add significant
value to an organization by:
 Providing greater reliance on interactions with trading
partners
 Improving trust in customer relationships
 Protecting the organization’s reputation
 Enabling new and better ways to process electronic
transactions
32

Strategic
alignment
Risk
management
Value delivery
Performance
measurement
Resource
management
Process
integration
33

 Effective information security governance
 Management must establish and maintain a framework to
guide the development and management of a
comprehensive information security program that
supports business objectives
 This framework provides the basis for the development of
a cost-effective information security program that
supports the organization’s business goals.
 Strategic direction and impetus from:
▪ Boards of directors / senior management
▪ Executive management
▪ Steering committees
▪ Chief information security officers
34

 Involves documenting an organization’s IT assets
in a structured manner to facilitate
understanding, management and planning for IT
investments
 Often involves both a current state and
optimized future state representation
36

Data Functional Network People Process Strategy
Scope
Enterprise Model
Systems Model
Technology Model
Detailed
Representation
37

 Performance
 Business
 Service component
 Technical
 Data
38

 High-level documents
 Represent the corporate philosophy of an
organization
 Must be clear and concise to be effective
 Management should review all policies carefully
 Policies need to be updated to reflect new
technology and significant changes in business
processes
 Policies formulated must enable achievement of
business objectives and implementation of IS
controls
39

 Information security policies
 Communicate a coherent security standard to users,
management and technical staff
 Must balance the level of control with the level of
productivity
 Provide management the direction and support for
information security in accordance with business
requirements, relevant laws and regulations
40

 Information security policy document
 Definition of information security
 Statement of management intent
 Framework for setting control objectives
 Brief explanation of security policies
 Definition of responsibilities
 References to documentation
41

 Policy groups to be addressed
 High-level information security policy
 Data classification policy
 Acceptable usage policy
 End user computing policy
 Access control policies
42

 Review of the information security policy
document
 Should be reviewed at planned intervals or when
significant changes occur to ensure its continuing
suitability, adequacy and effectiveness
 Should have an owner who has approved
management responsibility for the development,
review and evaluation of the security policy
 Review should include assessing opportunities for
improvement to the organization’s information
security policy
43

 Procedures are detailed documents that:
 Define and document implementation policies
 Must be derived from the parent policy
 Must implement the spirit (intent) of the policy
statement
 Must be written in a clear and concise manner
44

 To develop a risk management program:
 Establish the purpose of the risk management
program
 Assign responsibility for the risk management plan
45

 Steps:
 Identification and classification of information
resources or assets that need protection
 Assess threats and vulnerabilities and the likelihood of
their occurrence
 Once the elements of risk have been established they
are combined to form an overall view of risk
 Evaluate existing controls or design new controls to
reduce the vulnerabilities to an acceptable level of risk
 Residual risk
46

 IT risk management needs to operate at multiple
levels including:
 Operational—Risks that could compromise the
effectiveness of IT systems and supporting
infrastructure
 Project—Risk management needs to focus on the
ability to understand and manage project complexity
 Strategic—The risk focus shifts to considerations such
as how well the IT capability is aligned with the
business strategy
47

 Qualitative
 Semi-quantitative
 Quantitative
 Probability and expectancy
 Annual loss expectancy method
48

 Risk management should be applied to IT functions
throughout the company
 Senior management responsibility
 Quantitative RM is preferred over qualitative approaches
 Quantitative RM always faces the challenge of estimating
risks
 Quantitative RM provides more objective assumptions
 The real complexity or the apparent sophistication of the
methods or packages used should not be a substitute for
common sense or professional diligence
 Special care should be given to very high impact events,
even if the probability of occurrence over time is very low.
49

 Hiring
 Employee handbook
 Promotion policies
 Training
 Scheduling and time reporting
 Employee performance evaluations
 Required vacations
 Termination policies
50

 Sourcing practices relate to the way an
organization obtains the IS function required to
support the business
 Organizations can perform all IS functions in-
house or outsource all functions across the globe
 Sourcing strategy should consider each IS
function and determine which approach allows
the IS function to meet the organization’s goals
51

 Outsourcing practices and strategies
 Contractual agreements under which an organization
hands over control of part or all of the functions of the
IS department to an external party
 Becoming increasingly important in many
organizations
 The IS auditor must be aware of the various forms
outsourcing can take as well as the associated risks
52

Possible advantages
 Commercial outsourcing
companies likely to devote
more time and focus more
efficiently on a given project
than in-house staff
 Outsourcing vendors likely
to have more experience
with a wider array of
problems, issues and
techniques
Possible disadvantages
 Costs exceeding customer
expectations
 Loss of internal IS experience
 Loss of control over IS
 Vendor failure
53

 Risks can be reduced by:
 Establishing measurable, partnership-enacted shared goals
and rewards
 Using multiple suppliers or withholding a piece of business
as an incentive
 Performing periodic competitive reviews and
benchmarking/bench trending
 Implementing short-term contracts
 Forming a cross-functional contract management team
 Including contractual provisions to consider as many
contingencies as can reasonably be foreseen
54

 Globalization practices and strategies
 Requires management to actively oversee the
remote or offshore locations
 The IS auditor can assist an organization in moving IS
functions offsite or offshore by ensuring that IS
management considers the following:
 Legal, regulatory and tax issues
 Continuity of operations
 Personnel
 Telecommunication issues
 Cross-border and cross-cultural issues
55

 Governance in outsourcing
 Mechanism that allows organizations to transfer the
delivery of services to third parties
 Accountability remains with the management of the
client organization
 Transparency and ownership of the decision-making
process must reside within the purview of the client
56

 Third-party service delivery management
 Every organization using the services of third parties
should have a service delivery management system in
place to implement and maintain the appropriate level
of information security and service delivery in line
with third-party service delivery agreements
 The organization should check the implementation of
agreements, monitor compliance with the agreements
and manage changes to ensure that the services
delivered meet all requirements agreed to with the
third party.
57

 What is change management?
 Managing IT changes for the organization
 Identify and apply technology improvements at the
infrastructure and application level
60

 Financial management
 A critical element of all business functions and for a cost-intensive computer
environment
 The user-pays scheme, a form of chargeback, can improve application and
monitoring or IS expenses and available resources.
 In this scheme the costs of IS services -including staff time, computer time and other
relevant costs- are charged back to the end users based on a standard (uniform)
formula or calculation.
 Chargeback is a joint responsibility of IS management and user management.
Chargeback provides IS personnel and users with a tool to measure the effectiveness
and efficiency of the service provided by the information processing facility.
 IS Budgets
 IS management, like all other departments. must develop a budget.
 A budget allows for forecasting, monitoring and analyzing financial information.
 The budget allows for an adequate allocation of funds, especially in all IS
environment where expenses can be cost- intensive. The IS budget· should be linked
to short- and long-range IT plans.
61

 Software development, maintenance and
implementation
 Acquisition of hardware and software
 Day-to-day operations
 Service management
 Security
 Human resource management
 General administration
62

 Process driven by performance indicators
 Optimization refers to the process of improving
the productivity of information systems to the
highest level possible without unnecessary,
additional investment in the IT infrastructure
 Five ways to use performance measures:
▪ Measure products/services
▪ Manage products/services
▪ Assure accountability
▪ Make budget decisions
▪ Optimize performance
63

 Systems development
manager
 Help desk
 End user
 End user support manager
 Data management
 Quality assurance
manager
 Vendor and outsourcer
management
 Operations manager
 Control group
 Media management
 Data entry
 Systems administration
 Security administration
 Quality assurance
 Database administration
 Systems analyst
 Security architect
 Applications development
and maintenance
 Infrastructure
development and
maintenance
 Network management
65

 Avoids possibility of errors or misappropriations
 Discourages fraudulent acts
 Limits access to data
66

 Transaction authorization
 Custody of assets
 Access to data
 Authorization forms
 User authorization tables
 Compensating controls for lack of segregation of duties
include:
 Audit trails
 Reconciliation
 Exception reporting
 Transaction logs
 Supervisory reviews
 Independent reviews
68

 Business continuity planning (BCP) is a process
designed to reduce the organization’s business
risk
 A BCP is much more than just a plan for the
information systems
 IS processing is of strategic importance
 Critical component of overall BCP
 Most key business processes depend on the
availability of key systems and infrastructure
components
70

 Inability to maintain critical customer services
 Damage to market share, reputation or brand
 Failure to protect the company assets including
intellectual properties and personnel
 Business control failure
 Failure to meet legal or regulatory requirements
72

 Disasters are disruptions that cause critical
information resources to be inoperative for a
period of time
 Good BCP will take into account impacts on IS
processing facilities
 Consider Dealing With Damage to Image,
Reputation or Brand
73

 Definition:
 A document approved by top management defines extent and scope
of the business continuity effort (a project or an ongoing program)
within the organization.
 Contents:
 Internal portion: a message to internal stakeholders (i.e., employees,
management, directors) that the company is undertaking the effort,
committing its resources and expecting the rest of the organization to
do the same.
 Public portion: a message to external stakeholders (shareholders,
regulators, authorities, etc.) that the organization is treating its
obligations (e.g., service delivery, compliance) seriously.
 A statement to the organization, empowering those who are
responsible for business continuity.
 May broadly state the general principles on which business continuity
will be based.
75

 Creation of a business continuity and disaster
recovery policy
 Business impact analysis
 Classification of operations and criticality analysis
 Development of a business continuity plan and
disaster recovery procedures
 Training and awareness program
 Testing and implementation of plan
 Monitoring
77

 All types of incidents should be categorized
 Negligible
 Minor
 Major
 Crisis
 The Security Officer (SO) or other designated
individual should be notified of all relevant
incidents as soon as any triggering event occurs.
78

 Critical step in developing the Business
Continuity Plan
 Three main questions to consider during BIA
phase:
 What are the different business processes?
 What are the critical information resources related to
an organization’s critical business processes?
 What is the critical recovery time period for
information resources in which business processing
must be resumed before significant or unacceptable
losses are suffered?
79

 Factors to consider when developing the plans
 Pre-disaster readiness
 Evacuation procedures
 Escalation procedures
 Circumstances under which a disaster should be declared
 Identification of plan responsibilities
 Identification of contract information
 Recovery option explanations
 Identification of resources for recovery and continued
operation of the organization
 Application of the constitution phase
82

 Management and user involvement is vital to the
success of BCP
 Essential to the identification of critical systems,
recovery times and resources
 Involvement from support services, business
operations and information processing support
 Entire organization needs to be considered for
BCP
84

 Key personnel must have an understanding of their
responsibilities
 Current detailed documentation must be kept
 Backup of required supplies
 Insurance
 IS equipment and facilities
 Media (software) reconstruction
 Extra expenses
 Business interruption
 Valuable papers and records
 Errors and omissions
 Fidelity coverage
 Media transportation
85

 Schedule testing at a time that will minimize disruptions to
normal operations
 Test must simulate actual processing conditions
 Test execution:
 Pretest
 Test
 Posttest
 Test Types:
 Desk-based evaluation/paper test-A paper walk-through of the plan,
involving major players in the plan's execution who reason out what
might happen in a particular type of service disruption
 Preparedness test-Usually a localized version of a full test, wherein
actual resources are expended in the simulation of a system crash
 Full operational test-This is one step away from an actual service
disruption
86

 Documentation of results
 Results analysis
 Time: for completion of prescribed tasks, delivery of equipment,
assembly of personnel and arrival at a predetermined site
 Amount: Amount of work performed at the backup site by clerical
personnel and information systems processing operations
 Count: number of vital records successfully carried to the backup site
versus the required number, and the number of supplies and
equipment requested versus actually received. Also, the number of
critical systems successfully recovered can be measured with the
number of transactions processed.
 Accuracy: Accuracy of the data entry at the recovery site versus
normal accuracy (as a percentage). Also, the accuracy of actual
processing cycles can be determined by comparing output results
with those for the same period processed under normal conditions.
 Recovery / continuity plan maintenance
87

 Business continuity plan must:
 Be based on the long-range IT plan
 Comply with the overall business continuity strategy
 Process for developing and maintaining the BCP/DRP
 Business impact analysis
 Identify and prioritize systems
 Choose appropriate strategies
 Develop the detailed plan for IS facilities
 Develop the detailed BCP
 Test the plans
 Maintain the plans
88

 Unfavorable end-user attitudes
 Excessive costs
 Budget overruns
 Late projects
 High staff turnover
 Inexperienced staff
 Frequent hardware/software errors
90

 The following documents should be reviewed:
 IT strategies, plans and budgets
 Security policy documentation
 Organization/functional charts
 Job descriptions
 Steering committee reports
 System development and program change procedures
 Operations procedures
 Human resource manuals
 Quality assurance procedures
91

 There are various phases to computer hardware,
software and IS service contracts, including:
 Development of contract requirements and service
levels
 Contract bidding process
 Contract selection process
 Contract acceptance
 Contract maintenance
 Contract compliance
92

 Understand and evaluate business continuity
strategy
 Evaluate plans for accuracy and adequacy
 Verify plan effectiveness
 Evaluate offsite storage
 Evaluate ability of IS and user personnel to
respond effectively
 Ensure plan maintenance is in place
 Evaluate readability of business continuity
manuals and procedures
93

 IS auditors should verify that basic elements of a
well-developed plan are evident including:
 Currency of documents
 Effectiveness of documents
 Interview personnel for appropriateness and
completeness
94

 Obtain a copy of the current business continuity policy and
strategy
 Obtain a current copy of tile BCP or manual.
 Obtain a copy of the most recent BIA findings and identify the
RTO, RPO and other key strategic directives
 Sample the distributed copies of the manual and verify that
they are current.
 Verify whether the BCP supports the overall business
continuity strategy.
 Evaluate the effectiveness of the documented procedures for
the invocation of the BCP execution.
 Evaluate the procedure for updating the manual:
 Timely manner?
 Are specific responsibilities documented for maintenance manual?
95

 Review the identification, priorities and planned support
of critical applications, both server-based and workstation-
based applications.
 Determine whether all applications have been reviewed
for their level of tolerance in the event of a disaster.
 Determine whether all critical applications (including PC
applications) have been identified.
 Determine whether the secondary site has the correct
versions of all system software to Verify that all of the
software is compatible; otherwise, the system will not be
able to process production data during recovery.
96

 Obtain a member list for each
recovery/continuity/response team.
 Obtain a copy of agreements relating to use of backup
facilities
 Review the list of business continuity personnel,
emergency, hot-site contacts, emergency vendor contacts,
etc., for appropriateness and completeness. .
 Call a sample people indicated and verify that their phone
numbers and addresses are correct, as indicated and that
·they possess a current copy of the business continuity
manual. .
 Interview them for an understanding of their assigned
responsibilities incase of interruption/disaster situation
97

 Evaluate the procedures for documenting the
tests.
 Review the backup procedures followed~ for
each area covered by the DRP.
 Determine whether the backup and recovery
procedures are being followed.
98

 IS auditors must review the test results to:
 Determine whether corrective actions are in the plan
 Evaluate thoroughness and accuracy
 Determine problem trends and resolution of problems
99

 An IS auditor must:
 Evaluate presence, synchronization and currency of
media and documentation
 Perform a detailed inventory review
 Review all documentation
 Evaluate availability of facility
100

 Key personnel must have an understanding of
their responsibilities
 Current detailed documentation must be kept
101

 An IS auditor must:
 Evaluate the physical and environmental access
controls
 Examine the equipment for current inspection and
calibration tags
102

 An IS auditor should obtain a copy of the contract
with the vendor
 The contract should be reviewed against a
number of guidelines
 Contract is clear and understandable
 Organization’s agreement with the rules
103

 Insurance coverage must reflect actual cost of
recovery
 Coverage of the following must be reviewed for
adequacy
 Media damage
 Business interruption
 Equipment replacement
 Business continuity processing
104

Cisa 2013 ch2

More Related Content

What's hot (20)

Similar to Cisa 2013 ch2 (20)

More from Aladdin Dandis (13)

Recently uploaded (20)

Cisa 2013 ch2