Meeting summary for SIP Study Group - 11th June 2025

Quick recap

The meeting focused on Domain 3 of the CISA cybersecurity certification exam, covering IT auditing principles and practices. The discussion explored various aspects of system development and implementation, including project governance, testing methodologies, and the importance of building security into the development process. The session concluded with an overview of system deployment strategies, data migration challenges, and the post-implementation review process, emphasizing the auditor's role in ensuring proper controls and business value delivery.

Next steps

• Attendees to self-reflect on past project experiences, considering governance structures and their impact on project success.
• Attendees to review the SCRAPE mnemonic for feasibility studies in preparation for future projects.
• Attendees to familiarize themselves with different SDLC models (Waterfall, V-model, Iterative/Agile) and their applications.
• Attendees to study the six phases of SDLC and understand the controls required at each stage.
• Attendees to review different implementation strategies (Big Bang, Parallel, Phased, Pilot) and their pros and cons.
• Attendees to prepare for Domain 4 of the CISA exam, which will be covered in the next session.
• Interested attendees to book a discovery call with Winton to learn more about the Safer Internet Project.

Summary

Osaka CISA Domain 3 Auditing

Winton introduces the Osaka CISA Domain 3 live session, focusing on auditing. He explains that this is part of a series of cybersecurity certification preparation sessions, emphasizing the importance of auditing in cybersecurity despite its potentially less exciting reputation. Winton invites participants to book a free one-on-one call with him to discuss career paths and mentions that the study group covers various aspects of cybersecurity professional development, including certifications, resume building, and interview preparation.

IT Auditing and Risk Management

Winton explains the role of IT auditors, focusing on their responsibility to ensure information systems have proper controls for confidentiality, integrity, and availability. He outlines the career progression in IT auditing, from entry-level positions to senior roles overseeing enterprise-wide risk management. Winton then introduces Domain 3 of the CISA exam, which covers information systems acquisition, development, and implementation. He emphasizes the importance of risk assessment in making informed decisions and developing effective strategies for information systems.

IT Security and Development Best Practices

Winton discusses the importance of proper IT controls and security measures, using the example of a laptop catching fire to illustrate the consequences of not backing up data. He emphasizes that security should be built into the development process rather than treated as an afterthought. Winton then provides an overview of Domain 3 of the CISA exam, which covers project governance, system development methodologies, and testing. He asks participants to consider which scenario is scarier: building a system without requirements, implementing without testing, or not having a post-implementation review, drawing analogies to proofreading and test driving a car to illustrate the importance of these steps.

Project Governance and IT Auditing

Winton discusses the importance of project governance in system implementation, emphasizing that it sets direction, ensures accountability, and provides a framework for decision-making. He explains three project management structures: functional, projectized, and matrix, each with different levels of authority for the project manager. Winton then compares the roles in IT auditing to Avengers, highlighting the responsibilities of the project sponsor, project manager, QA team, and IS auditor. He concludes by describing the "superpowers" of IS auditors, including risk identification, control assessment, compliance scanning, and documentation verification.

Project Benefits and Business Cases

Winton discusses the challenges in measuring project benefits, emphasizing the importance of delivering business value and getting stakeholder buy-in. He then explains the concept of a business case, describing it as a project's birth certificate that justifies its existence and outlines its potential return on investment. Winton also introduces a mnemonic, SCRAPER, for conducting a feasibility study, which includes scope, current analysis, requirements, approach, evaluation, and review.

IT Project Build vs. Buy Decision

Winton discusses the build versus buy decision matrix for IT projects, outlining factors such as speed to market, cost, and customization needs. He explains the advantages and disadvantages of both building from scratch and buying off-the-shelf solutions. Winton then describes the auditor's role in business cases, which includes validating requirements, verifying cost estimates, ensuring risk identification, confirming alignment with IT strategy, and examining alternative solutions. He emphasizes the importance of thoroughness, objectivity, and alignment with organizational goals in the auditing process.

Understanding SDLC Models and Phases

Winton explains the System Development Lifecycle (SDLC) and its various models. He describes the Waterfall model as sequential, the V model as emphasizing verification and validation, and the Iterative or Agile model as flexible and collaborative. Winton then outlines the six main phases of the SDLC: project initiation, requirements definition, design, development, testing, and implementation, with maintenance as an ongoing process.

Software Development Controls Overview

Winton discusses the importance of controls throughout the software development lifecycle, emphasizing their role in ensuring quality, security, and alignment with business objectives. He describes specific controls for each phase, including approval processes in requirements, architecture reviews in design, and code reviews during development. Winton stresses the importance of building security into the system from the start rather than retrofitting it later. He then explains the critical system testing phase, which includes unit testing, integration testing, user acceptance testing, and security testing, using analogies to make the concepts more digestible.

System Deployment Implementation Strategies

Winton discusses various implementation strategies for system deployment, including Big Bang, Parallel, Phased, and Pilot approaches. He explains the risks and benefits of each strategy, emphasizing the importance of choosing an approach that aligns with the organization's risk tolerance. Winton then covers data conversion and migration challenges, comparing it to moving one's digital life and highlighting common risks. Finally, he explains the post-implementation review process, which evaluates the project's success 3-6 months after implementation and helps improve future development practices.