[UPBEAT MUSIC] Welcome to Global Information Security Society for Professionals of Pakistan. [NON-ENGLISH SPEECH] Global Information Society for Professionals of Pakistan [NON-ENGLISH SPEECH] Governance and management of IT. [NON-ENGLISH SPEECH] session 2.4. [NON-ENGLISH SPEECH] Domain 2 [NON-ENGLISH SPEECH] fourth session [NON-ENGLISH SPEECH] obviously it is fifth. [NON-ENGLISH SPEECH] Formally session 1, 2, 3, and 4th, 2.4 session. [NON-ENGLISH] session [NON-ENGLISH SPEECH] Portfolio management. IT portfolio management. [NON-ENGLISH SPEECH] investment. Investment [NON-ENGLISH SPEECH]. Prioritization [NON-ENGLISH SPEECH] Allocation, [NON-ENGLISH SPEECH] For the alignment. [NON-ENGLISH SPEECH] IT department [NON-ENGLISH SPEECH] Strategies [NON-ENGLISH] objectives [NON-ENGLISH SPEECH] [COUGHS] Sorry. [COUGHING] Excuse me. [NON-ENGLISH SPEECH] Anyways, [NON-ENGLISH SPEECH] For example, [NON-ENGLISH SPEECH] easy money [NON-ENGLISH SPEECH] Bitcoin [NON-ENGLISH SPEECH] terminologies [NON-ENGLISH SPEECH] Foreign exchange [NON-ENGLISH SPEECH] investment [NON-ENGLISH SPEECH] Objective [NON-ENGLISH SPEECH] NGO [NON-ENGLISH SPEECH] [NON-ENGLISH SPEECH] [NON-ENGLISH SPEECH] day-to-day operations [NON-ENGLISH SPEECH] IT portfolio management [NON-ENGLISH]. IT portfolio management [NON-ENGLISH SPEECH] IT portfolio management, [NON-ENGLISH SPEECH] Inside the organization, outside the organization [NON-ENGLISH SPEECH] So this snapshot of existing status of our IT of our organization, [NON-ENGLISH SPEECH] portfolio [NON-ENGLISH]. I hope [NON-ENGLISH SPEECH] The IT portfolio is distinct from the IT financial management. Financial management [NON-ENGLISH SPEECH] It has strategic goals in determining the IT direction towards [NON-ENGLISH SPEECH] On the basis of your expertise, your portfolio, [NON-ENGLISH SPEECH] Redundant [NON-ENGLISH], slack time [NON-ENGLISH SPEECH] So this is what is called IT portfolio management. Key governance practices in IT portfolio management include the evaluation, direction, and monitoring of value optimization. So [NON-ENGLISH] value [NON-ENGLISH SPEECH] Optimize [NON-ENGLISH SPEECH] So key governance practices in IT portfolio management includes [NON-ENGLISH SPEECH] OK, IT portfolio management continued. The most significant advantage of IT portfolio management is agility in adjusting investment based on built-in feedback mechanism. Obviously, [NON-ENGLISH SPEECH] Implementation method includes, portfolio management [NON-ENGLISH] implement [NON-ENGLISH SPEECH] Number [NON-ENGLISH], risk profile analysis. [NON-ENGLISH SPEECH] Whatever is the treatment plan you have. Diversification of projects, infrastructure and technology, [NON-ENGLISH SPEECH] OK, next slide [NON-ENGLISH SPEECH] Now over to you. Discussion question number 1. Number 2 we have here. OK. Usually, exam [NON-ENGLISH SPEECH] OK. The merger of two organizations, multiple self-developed legacy applications from both organizations are to be replaced by a new common platform. Which of the following would be the greatest risk? Project management and the progress reporting is combined in a project management office which is driven by external consultant. I think it's risk but it's not the greatest risk. The replacement effort consists of several independent projects without integrating the resource allocation in a portfolio management approach, the risk. The resource of each organization is inefficiently allocated while they are being from familiarized with the other companies legacy system. The new platform will force the business area of both organizations to change their work process. Good. [NON-ENGLISH SPEECH] The correct answer is B. The correct answer is the replacement effort consists of several independent products without integrating the resource allocation in a portfolio management. [NON-ENGLISH SPEECH] To gain an understanding of the effectiveness of an organization's planning and management of investment in IT assets, an IS auditor should review the? Enterprise data model, IT balanced scorecard, IT organizational structure, historical financial statement. [NON-ENGLISH], simple, straightforward answer. Naveed Ali [NON-ENGLISH SPEECH] C. OK. Ikra [NON-ENGLISH] answer [NON-ENGLISH] D. [NON-ENGLISH SPEECH] Ikra [NON-ENGLISH] financial background [NON-ENGLISH]. To gain an understanding of the effectiveness of an organization's planning and management of investment in IT assets, an IS auditor should review the? IS auditor [NON-ENGLISH SPEECH] review [NON-ENGLISH SPEECH] Management of investment. [NON-ENGLISH SPEECH] Historical financial statements. [NON-ENGLISH SPEECH] Seems good. [NON-ENGLISH] enterprise data model [NON-ENGLISH SPEECH] IT balanced scorecard [NON-ENGLISH SPEECH] OK. So [NON-ENGLISH SPEECH] The correct answer is IT balanced scorecard. [NON-ENGLISH SPEECH] You can read. Concentrate on answer B, the IT balanced scorecard. [NON-ENGLISH SPEECH] IT balanced scorecard [NON-ENGLISH SPEECH] So IT balanced scorecard [NON-ENGLISH SPEECH] Number [NON-ENGLISH], financial growth. Number [NON-ENGLISH SPEECH] internal processes. Number [NON-ENGLISH], ability to innovate. Innovation [NON-ENGLISH SPEECH]. [NON-ENGLISH SPEECH] customer satisfaction. OK. Process maturity framework. [NON-ENGLISH SPEECH] Process maturity framework. [NON-ENGLISH SPEECH] So these are the process maturity things. [NON-ENGLISH SPEECH] It's a life cycle to complete a task. [NON-ENGLISH SPEECH] [COUGHING] Sorry. [NON-ENGLISH SPEECH] Obviously, it was efficient. [NON-ENGLISH SPEECH] In another case, [NON-ENGLISH SPEECH] Yes, it was effective. [NON-ENGLISH SPEECH] Yes, it was efficient. [NON-ENGLISH SPEECH] Yes, it was effective. [NON-ENGLISH SPEECH] It was a quality process. [NON-ENGLISH SPEECH] So this is called process maturity. OK. [NON-ENGLISH] different frameworks market [NON-ENGLISH SPEECH] CMMI [NON-ENGLISH], Capability Maturity Integration Model. [NON-ENGLISH SPEECH] COBIT Process Assessment Model [NON-ENGLISH SPEECH] CMMI [NON-ENGLISH SPEECH] Maintaining consistency, efficiency, and effectiveness of IT processes require the implementation of a process maturity framework. [NON-ENGLISH SPEECH] Several models may be encountered in the organization, including COBIT [NON-ENGLISH] process assessment model. [NON-ENGLISH SPEECH] So they fall in about 35, 36, 30, 30, 37 processes. [NON-ENGLISH SPEECH] Stage 1, stage 2, stage 3. [NON-ENGLISH SPEECH] CMMI, Capability Maturity Model Integration, [NON-ENGLISH SPEECH] So initial processes are unpredictable. [NON-ENGLISH SPEECH] The processes are unpredictable, poorly controlled, and reactive. [NON-ENGLISH SPEECH] Processes are unpredictable, poorly controlled, and reactive. Repeatable, [NON-ENGLISH SPEECH] Several organizations I want to name. Allied Bank [NON-ENGLISH SPEECH] processes are well standardized [NON-ENGLISH SPEECH] They are working in silos. [NON-ENGLISH SPEECH] So that is called optimization level 5. [NON-ENGLISH SPEECH] [CHUCKLES] [NON-ENGLISH SPEECH] [CHUCKLES] [NON-ENGLISH SPEECH] Optimize [NON-ENGLISH] according to your external customers, stakeholders. So this is called process maturity levels. [NON-ENGLISH SPEECH] PDCA model, Plan, Do, Check, Act. [NON-ENGLISH SPEECH] Implement the plan. Collecting data for charting, analysis. [NON-ENGLISH SPEECH] I'm going for studies [NON-ENGLISH SPEECH] [CHUCKLES] [NON-ENGLISH SPEECH] [CHUCKLES] [NON-ENGLISH SPEECH] [CHUCKLES] [NON-ENGLISH SPEECH] plan, do, check, act, clear? [NON-ENGLISH] question. [NON-ENGLISH SPEECH] [CHUCKLES] OK, quality management. Quality management [NON-ENGLISH SPEECH] The development and maintenance of defined and documented IT quality management processes is evident of effective GEIT, Governances Enterprise IT. [NON-ENGLISH] IT governance [NON-ENGLISH] governance in enterprise IT, [NON-ENGLISH SPEECH] Governance in enterprise IT, end-to-end organization [NON-ENGLISH SPEECH] Quality management defined as a set of tasks that produce desired results when properly performed. Various standards provides guidelines for governance of quality management, including those in ISO 20000 series. [NON-ENGLISH SPEECH] Anyways, the good news is the IS auditor should be aware of quality management. However, [NON-ENGLISH SPEECH] Statement that the IS auditor should be aware of quality management. However, [NON-ENGLISH SPEECH] [CHUCKLES] [NON-ENGLISH SPEECH] The CISA exam does not test specific on any ISO standard. So [NON-ENGLISH SPEECH] Excuse me. Discussion question number 3. OK, go ahead. OK [NON-ENGLISH]. [NON-ENGLISH SPEECH] Identify and report the controls currently in place. [NON-ENGLISH SPEECH] Correct answer is D. [NON-ENGLISH SPEECH] Process number 4, element number 4, identify [NON-ENGLISH SPEECH] OK, next question [NON-ENGLISH SPEECH] Number 4. [NON-ENGLISH] critical success factor [NON-ENGLISH SPEECH] Most critical success factor, security program [NON-ENGLISH SPEECH] Establishment of a review board. Creation of security unit. Effective support of an executive sponsor. Selection of a security process owner. [NON-ENGLISH SPEECH] A is a good option. [NON-ENGLISH SPEECH] So rethink. [NON-ENGLISH SPEECH] [CHUCKLES] [NON-ENGLISH SPEECH] Correct answer is C. [NON-ENGLISH SPEECH] OK, performance optimization. Performance optimization. Performance optimization [NON-ENGLISH SPEECH] It's a balance. It's a trade-off between the highest level of performance and the minimum use of resources. [NON-ENGLISH SPEECH] [CHUCKLES] [NON-ENGLISH SPEECH] [CHUCKLES] [NON-ENGLISH SPEECH] So this is called optimization. So maximum extract by using minimum possible resources. [NON-ENGLISH SPEECH] Performance optimization is the process of improving both perceived service performance while bringing highest productivity to the highest level possible. [NON-ENGLISH] OK. Ideally, this productivity will be gained without excessive additional investment in the IT infrastructure. Effective performance measures are used to create and facilitate action to improve both performance and GEIT, Governances Enterprise IT. [NON-ENGLISH SPEECH] these depend upon the clear definition of performance goal. [NON-ENGLISH SPEECH] [COUGHS] Sorry. [COUGHING] [NON-ENGLISH SPEECH] Clear definition of performance goal, the establishment of effective metrics to monitor goal achievement. [NON-ENGLISH SPEECH] You are on right track. [NON-ENGLISH SPEECH] It's great. It's the optimization. [NON-ENGLISH SPEECH] Different tools and techniques [NON-ENGLISH SPEECH] White belt, brown belt, blue belt, [NON-ENGLISH] then finally, [NON-ENGLISH SPEECH] White belt, green belt, blue belt, orange belt, [NON-ENGLISH] belt, [NON-ENGLISH] belt, [NON-ENGLISH]. [NON-ENGLISH SPEECH] Internal processes or customer satisfaction. [NON-ENGLISH SPEECH] KPIs, Key Performance Indicator. Key performance indicator. Key performance indicator [NON-ENGLISH SPEECH] For example, [NON-ENGLISH] call center [NON-ENGLISH] key performance indicator [NON-ENGLISH SPEECH] Yes, he's done a good job. [NON-ENGLISH SPEECH] So this is called benchmarking. Then [COUGHING] business process reengineering. Business process reengineering [NON-ENGLISH SPEECH] Root Cause Analysis, RCA. Root cause analysis [NON-ENGLISH SPEECH] It was the root cause analysis. [NON-ENGLISH SPEECH] It was the root cause analysis. [NON-ENGLISH] root cause analysis [NON-ENGLISH SPEECH] Life cycle cost benefit analysis. [NON-ENGLISH SPEECH] Feasibility study, business case, requirement analysis, requirement gathering, development, testing, [NON-ENGLISH SPEECH] This is called optimization. [NON-ENGLISH SPEECH] Clear, [INAUDIBLE]. Thank you very much on the behalf of GISSP. [NON-ENGLISH SPEECH] [COUGHING] Sorry. [NON-ENGLISH SPEECH]