Meeting summary for SIP Study Group - 4th June 2025

Quick recap

The session focused on the CISA domain, covering governance and management topics with emphasis on IT audit careers and certification paths. Winton discussed various aspects of IT governance, enterprise architecture, and risk management, including policy development, compliance requirements, and data privacy programs. The presentation concluded with an overview of IT performance monitoring, quality assurance practices, and upcoming sessions on the main three domains.

Next steps

• Winton to schedule free 15-minute one-on-one calls with interested participants to discuss their career goals and how the platform can benefit them.
• Participants to review and study the CISA Domain 2 content presented in the session.
• Participants to practice answering the sample questions provided for each subdomain of CISA Domain 2.
• Winton to prepare a PowerPoint presentation for next week's session on CISA Domain 3.
• Participants to connect with Winton on LinkedIn for networking purposes.

Summary

CISA Governance and Career Resources

Winton, an information security professional and educator, introduced a session on the CISA domain focusing on governance and management. He outlined his credentials and experience, emphasizing his role in providing support and resources for those seeking certifications and career advancement. Winton highlighted the platform's offerings, including personalized mentorship, study groups, and free one-on-one calls, and encouraged participants to utilize these resources for their career development. He also invited feedback to tailor the platform's content to user needs and mentioned the availability of merchandise and live sessions.

CISA Certification and IT Audit Career Path

Winton discussed the CISA certification and IT audit career path, explaining that IT auditors evaluate controls over information systems to ensure data integrity, security, and compliance. He outlined the typical career progression for IT auditors, starting as junior auditors with responsibilities like control testing and assisting seniors, to senior auditors overseeing audit teams and advising on regulatory compliance, and finally to IT audit managers and directors with higher salaries and strategic responsibilities. Winton emphasized that the group offers support and networking opportunities for individuals looking to enter or advance in the cybersecurity and IT audit industry.

IT Governance and Compliance Overview

Winton discussed the importance of governance and management of IT, focusing on ensuring alignment between IT and business goals. He outlined various laws, regulations, and industry standards that organizations must follow, such as GDPR, HIPAA, and SOX. Winton explained how these frameworks impact different businesses depending on their location and nature, and emphasized the role of auditors in testing controls and providing independent opinions. He also highlighted the importance of compliance and the need for organizations to be aware of the controls and processes of companies like Google when using their services.

IT Governance: Roles and Responsibilities

Winton led a discussion on IT governance, explaining its role as the strategic direction for a company's IT activities. He outlined key organizational structures, including the Chief Information Officer's responsibility for IT strategy and the Chief Information Security Officer's role in developing security programs. Winton emphasized that IT governance aims to support business goals while reducing risk, and he clarified the functions of IT operations, service delivery, and the steering committee. The session concluded with a practice question about IT governance responsibility, which Winton answered by identifying the board of directors as the ultimate authority.

Information Security Policy Framework

Winton explained the components of Domain 2.3, which covers policies, standards, and procedures for information security. He described policies as high-level statements of management intent, standards as concrete technical requirements enforcing policies, and procedures as step-by-step instructions. Guidelines, while not mandatory, are recommended to enhance security. Winton outlined the policy development lifecycle, including initiation, drafting, review, approval, publication, and communication, emphasizing the importance of stakeholder involvement and mutual agreement.

Policy Development and Exception Processes

Winton discussed the policy development lifecycle, emphasizing the importance of establishing formal exception processes when policies are triggered by incidents. He explained that these processes require documentation of justifications, timeframes, and compensating controls to ensure security. Winton also highlighted the need for periodic review and revision of policies to account for changes in technology, staff, and processes. In addressing how employees follow new procedures, Winton identified training sessions as the most effective option, as they provide employees with the necessary knowledge and understanding of policies and procedures.

Enterprise Architecture Domains Overview

Winton explained the four domains of enterprise architecture: business architecture, data architecture, application architecture, and technology architecture. He emphasized the importance of scalability, security, and compliance by design in enterprise architecture. Winton also highlighted the need for different components of the architecture to work together seamlessly and for the architecture to be flexible enough to accommodate future upgrades and changes.

Enterprise Architecture and Risk Management

Winton discussed the importance of understanding the total cost of ownership for cybersecurity, emphasizing its role in reducing organizational risk rather than generating profit. He introduced the concept of enterprise architecture, highlighting its layered model (business, data, application, and technology layers) and the unique stakeholders and artifacts within each layer. Winton also explained enterprise risk management, describing it as an organization's proactive plan to identify, assess, and manage potential negative impacts to its technology and data.

Key Steps in ERM Process

Winton explained the five key steps of the ERM process, emphasizing the importance of identifying and assessing risks by analyzing likelihood and impact to categorize them as low, medium, high, or critical. He discussed risk mitigation strategies, including implementing controls, transferring risks through cyber insurance, avoiding high-risk activities, and accepting low-impact risks while monitoring them. Winton highlighted that the first step in the risk management process is to identify and assess risks, and he encouraged participants to practice this by identifying the first step in the risk management process.

Data Privacy Program Overview

Winton explained the data privacy program, which systematically manages and protects personal information to comply with legal requirements and uphold individual rights. The program includes establishing roles, providing training, monitoring third-party data handling, mapping data flows, and managing privacy incidents. Winton emphasized the importance of having the program established early to respond to data breaches timely and avoid penalties. He also discussed data governance and classification, highlighting the need to understand and classify data based on its sensitivity and required controls.

IT Operations and Data Management

Winton discussed the main benefits of data classification, which include enabling targeted protection by knowing what data is available. He explained resource management in IT, covering skills, certifications, user experience, capacity planning, and retention planning. Winton also addressed IT vendor management, emphasizing risk assessments, access control, contract integrity, and confidentiality agreements. Finally, he described IT performance monitoring and reporting, which measure and communicate how well IT operations align with business goals.

Security and Quality Metrics Review

Winton discussed various operational and security KPIs, including meantime to respond, patch compliance rates, and open high-risk vulnerabilities. He explained how these metrics are monitored using tools like Splunk, SolarWinds, and Datadog, and how a Security Information and Event Management (SIEM) platform can help aggregate and analyze logs for alerting. Winton also covered quality assurance and quality management, emphasizing the goal of preventing defects by building quality into processes from the start. He mentioned that next week's session would include a PowerPoint presentation on the main three domains.