CISA Domain 3: Information Systems Acquisition, Development and Implementation
The purpose of this element of CISA is to make sure candidates can assure the effective operation of the processes used for IS acquisition, development, and implementation.
The domain covers six areas:
- Developing the business case
- IT supplier selection
- project management
- system development
- implementation readiness
- post implementation review
Before starting any IS project, the organization should make sure it supports the IS Strategy, is affordable and decide what benefits it must deliver to be judged a success. This information is brought together in the business case which is approved by senior management and continually re-evaluated throughout the project.
A benefits realization process is also used throughout the project to ensure the benefits, such as cost reduction or improved system reliability, are delivered.
The need for the project will come from the portfolio which has been created to support the IS strategy (link to previous article CISA Domain 2), and a feasibility study might be used to evaluate the approach, and the results included in the business case.
The candidate must understand the approach to business case development and investment evaluation techniques such as return on investment (ROI).
All organizations use third party suppliers to deliver some elements of their IS strategy and candidates are expected to know how suppliers are selected and managed.
The initial process for engaging a supplier is through a Request for Proposal (RFP) that contains business and IS requirements, information about the supplier and contractual terms. Since the organization will most likely use the selected solution for many years, the RFP is a critical document and, when reviewing it, the auditor should:
- validate the completeness and accuracy of the requirements through interviews and desk research,
- confirm the RFP has been fully approved by legal and senior IS and business managers, and
- ensure enough quality (Read more...)
*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Brian Hickey. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/1VPe42dOt2A/
