The Responsibilities of an Information Systems Auditor

B.

Security Officer ensures that system controls and supporting processes provides an effective level of protection, based on the data classification set in accordance with corporate security policies and procedures: consult throughout the life cycle on appropriate security measures that should be incorporated into the system.

For the CISA exam you should know the information below about roles and responsibilities of groups/individuals that may be involved in the development process are summarized below: Senior Management " Demonstrate commitment to the project and approves the necessary resources to complete the project.

This commitment from senior management helps ensure involvement by those needed to complete the project.

User Management " Assumes ownership of the project and resulting system, allocates qualified representatives to the team, and actively participates in business process redesign, system requirement definitions, test case development, acceptance testing and user training.

User management is concerned primarily with the following questions: Are the required functions available in the software? How reliable is the software? How effective is the software? Is the software easy to use? How easy is to transfer or adapt old data from preexisting software to this environment? Is it possible to add new functions? Does it meet regulatory requirement? Project Steering Committee " Provides overall directions and ensures appropriate representation of the major stakeholders in the project's outcome.

The project steering committee is ultimately responsible for all deliverables, project costs and schedules.

This committee should be compromised of senior representative from each business area that will be significantly impacted by the proposed new system or system modifications.

System Development Management " Provides technical support for hardware and software environment by developing, installing and operating the requested system.

Project Manager " Provides day-to-day management and leadership of the project, ensures that project activities remain in line with the overall directions, ensures appropriate representation of the affected departments, ensures that the project adheres local standards, ensures that deliverable meet the quality expectation of key stakeholder, resolve interdepartmental conflict, and monitors and controls cost of the project timetables.

Project Sponsor " Project sponsor provides funding for the project and works closely with the project manager to define critical success factor(CSFs) and metrics for measuring the success of the project.

It is crucial that success is translated to measurable and quantifiable terms.

Data and application ownership are assigned to a project sponsor.

A project sponsor is typically the senior manager in charge of the primary business unit that the application will support.

System Development Project Team " Completes assigned tasks, communicates effectively with user by actively involving them in the development process, works according to local standards, and advise the project manager of necessary plan deviations.

User Project Team " Completes assigned tasks, communicate effectively with the system developers by actively involving themselves in the development process as Subject Matter Expert (SME) and works according to local standards, and advise the project manager of expected and actual project deviations.

Security Officer " Ensures that system controls and supporting processes provides an effective level of protection, based on the data classification set in accordance with corporate security policies and procedures: consult throughout the life cycle on appropriate security measures that should be incorporated into the system.

Quality Assurance " Personnel who review result and deliverables within each phase and at the end of each phase, and confirm compliance with requirements.

Their objective is to ensure that the quality of the project by measuring adherence of the project staff to the organization's software development life cycle (SDLC), advise on the deviation and propose recommendation for process improvement or greater control points when deviation occur.

The following were incorrect answers: Project Sponsor " Project sponsor provides funding for the project and works closely with the project manager to define critical success factor(CSFs) and metrics for measuring the success of the project.

It is crucial that success is translated to measurable and quantifiable terms.

Data and application ownership are assigned to a project sponsor.

A project sponsor is typically the senior manager in charge of the primary business unit that the application will support.

User Management " Assumes ownership of the project and resulting system, allocates qualified representatives to the team, and actively participates in business process redesign, system requirement definitions, test case development, acceptance testing and user training.

Senior Management " Demonstrate commitment to the project and approves the necessary resources to complete the project.

This commitment from senior management helps ensure involvement by those needed to complete the project.

The responsibility for ensuring that system controls and supporting processes provide an effective level of protection based on the data classification set in accordance with corporate security policies and procedures lies with senior management.

Data classification is the process of categorizing data based on its level of sensitivity, value, and criticality to the organization. Different levels of data classification require different levels of protection, and the responsibility for determining the appropriate level of protection for each category of data falls on senior management.

Senior management is responsible for establishing policies and procedures for data classification and ensuring that those policies and procedures are followed. They are also responsible for allocating resources to implement the necessary controls to protect the data.

The security officer is responsible for implementing and enforcing the security policies and procedures established by senior management, including the controls to protect data based on its classification. User management is responsible for ensuring that users of the system comply with security policies and procedures and that their access to data is appropriate for their role and level of authorization.

The project sponsor may have oversight responsibilities for a specific project but is not typically responsible for ensuring the overall effectiveness of system controls and supporting processes. Therefore, the correct answer to the question is D. Senior Management.