Terms of Reference for an IT Audit of



Similar documents
Terms of Reference for Satellite Links National Maritime Safety Authority (NMSA)

TERMS OF REFERENCE FOR CERTIFICATION BODIES (CBs)

CLASSIFICATION SPECIFICATION FORM

Profil stručnjaka za informacijsku sigurnost - certificirati se ili ne? Biljana Cerin, CISA, CISM, CGEIT, CBCP, PMP

Terms of Reference (ToR)

Mapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA

Director, IT Security District Office Kern Community College District JOB DESCRIPTION

Internal Auditing Guidelines

IT Service Management ITIL, COBIT

REALIZING MAXIMUM BENEFITS FROM GOVERNANCE, RISKS AND COMPLIANCE (GRC) TOOLS

SECTION B DEFINITION, PURPOSE, INDEPENDENCE AND NATURE OF WORK OF INTERNAL AUDIT

Recommendation for IT Governance Using the COBIT 4.1 Framework

IRAP Policy and Procedures up to date as of 16 September 2014.

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

Criticism of Implementation of ITSM & ISO20000 in IT Banking Industry. Presented by: Agus Sutiawan, MIT, CISA, CISM, ITIL, BSMR3

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13

Auditors Need to Know June 13th, ISACA COBIT 5 for Assurance

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

Governance and Management of Information Security

Trends in Information Technology (IT) Auditing

COBIT 5: A New Governance Framework for Managing & Auditing the Technology Environment CS 6-7: Tuesday, July 7 3:30-4:30

Information Security Governance:

Strategy, COBIT and Vision: HOW DO THEY RELATE? Ken Vander Wal, CISA, CPA, Past President, ISACA

COBIT 5 for Risk. CS 3-7: Monday, July 6 4:00-5:00. Presented by: Nelson Gibbs CIA, CRMA, CISA, CISM, CGEIT, CRISC, CISSP ngibbs@pacbell.

Assessing & Managing IT Risks: Using ISACA's CobiT & Risk IT Frameworks

Information Security Management Systems

Consultants Alliance LLC. Professional Development Programs

IT Governance Implementation Workshop

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

COBIT Helps Organizations Meet Performance and Compliance Requirements

Application for CISM Certification

System Audit Framework

A Contrarian Risk Management Perspective. Nicole Keaton SVP Identity & Access Management CGEIT CISA CISM

Introduction to ISACA and ITGI By Georges Ataya, International Vice President, ISACA

Domain 5 Information Security Governance and Risk Management

MINISTRY OF FINANCE, PLANNING AND ECONOMIC DEVELOPMENT THE THIRD FINANCIAL MANAGEMENT AND ACCOUNTABILITY PROGRAMME (FINMAPIII) TERMS OF REFERENCE

IS Audit and Assurance Guideline 2402 Follow-up Activities

State of South Carolina InfoSec and Privacy Career Path Model

SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles

Introduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors

The Importance of IT Controls to Sarbanes-Oxley Compliance

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

Understanding COBIT 5. based on ISACA Materials Prepared by: Deb Mallette, CGEIT, CISA, CSSBB, IMG BSMS EPDM, Process Consultant

Assignment Background

Dallas IIA Chapter / ISACA N. Texas Chapter. January 7, 2010

Roles & Grades Rate Cards and Applicable SFIA Skills

Candidate s Guide to the CISM Exam and Certification

IT Audit in the Cloud

Information Technology Control Framework in the Federal Government Considerations for an Audit Strategy

All about CPEs. David Gittens CISA CISM CISSP CRISC HISP

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister

OneCoin Blockchain Audit Report

Question: 1 Which of the following should be the FIRST step in developing an information security plan?

Presented by. Denis Darveau CISM, CISA, CRISC, CISSP

2009 Solvay Brussels School and IT Governance institute

Certified Information Security Manager 2011 Candidate s Guide to the CISM. Exam and Certification

Information Security Specialist Training on the Basis of ISO/IEC 27002

Experienced professionals may apply for the Certified Risk Management Professional (CRMP) certification under the grandfathering provision.

Certified Information Security Manager (CISM)

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Cybercrime & Cybersecurity: the Ongoing Battle International Hellenic University

ISACA is responding to the PCAOB questions principally from an information technology (IT) perspective.

BADM 590 IT Governance, Information Trust, and Risk Management

ISACA Tools Help Develop Cybersecurity Expertise

ISACA ON-SITE TRAINING DELIVERS EXPERT INSTRUCTION AT YOUR WORKPLACE

COBIT 5 Process Assessment Method (PAM) Debra Mallette, CGEIT, CISA, CSSBB Governance Risk and Compliance -G22

Strategic IT audit. Develop an IT Strategic IT Assurance Plan

Domain 1 The Process of Auditing Information Systems

INFORMATION SECURITY & GOVERNANCE SYSTEMS AND IT INFRASTRUCTURE INFOSEC & TECHNOLOGY TRAINING. forebrook

ITIL: What is it? How does ITIL link to COBIT and ISO 17799?

Administrative Guidelines on the Internal Control Framework and Internal Audit Standards

Securing your Corporate Infrastructure What is really needed to keep your assets protected

IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014

Australian Computer Society ANZSCO ICT Code descriptions v Further updates will be issued in

ANNEX B. Terms of Reference. CTBTO Information Security Management System Support on Call-off Basis

A Comparison of IT Governance & Control Frameworks in Cloud Computing. Jack D. Becker ITDS Department, UNT & Elana Bailey

Guide for the Role and Responsibilities of an Information Security Officer Within State Government

Global Strategic Sourcing Services

CYBERSECURITY: ISSUES AND ISACA S RESPONSE

Table of Contents. Auditor's Guide to Information Systems Auditing Richard E. Cascarino Copyright 2007, John Wiley & Sons, Inc.

Val-EdTM. Valiant Technologies Education & Training Services. 2-day Workshop on Business Continuity & Disaster Recovery Planning

CYBERSECURITY NEXUS ROBERT E STROUD INTERNATIONAL PRESIDENT, ISACA RAMSÉS GALLEGO INTERNATIONAL VICE PRESIDENT, ISACA

1.0 BACKGROUND 2.0 OBJECTIVE OF ASSIGNMENT

IT Portfolio Management: ITIL V3 Refresh. BCS Rideau Section 19 March 2008 Phil Mustaphi

TERMS OF REFERENCE (TORs) OF CONSULTANTS - (EAG) 1. Reporting Function. The Applications Consultant reports directly to the CIO

FedVTE Training Catalog SPRING advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

IMPLEMENTATION OF HIGH-PERFORMANCE SECURITY MANAGEMENT PROCESSES

Combine ITIL and COBIT to Meet Business Challenges

Table of Contents: Chapter 2 Internal Control

Project Management and ITIL Transitions

Larry Laine, Deputy Land Commissioner and Chief Clerk. Annual Report on the Internal Audit Quality Assurance and Improvement Program

IT Governance: framework and case study. 22 September 2010

Transcription:

National Maritime Safety Authority (NMSA) TASK DESCRIPTION PROJECT/TASK TITLE: EXECUTING AGENT: IMPLEMENTING AGENT: PROJECT SPONSOR: PROJECT LOCATION: To engage a professional and qualified IT Auditor to conduct a comprehensive and independent audit of NMSA s ITC processes and controls. National Maritime Safety Authority (NMSA) ITC Department Executive Manager, Corporate Services National Maritime Safety Authority, Head Office, Level 2, Defense Haus, Port Moresby COMMENCEMENT DATE: Mid-September 2013 PROJECT DURATION: 2-3 Months National Maritime Safety Authority (NMSA) 1

I. INTRODUCTION/BACKGROUND The Authority was established by the National Maritime Safety Authority (NMSA) Act 2003 of parliament to oversee all aspects of safety at sea. NMSA through the Department of Information Technology is responsible for delivery of IT solutions and services to meet the Authority s mandated responsibility of ensuring safety at sea and ensuring compliance with laws and regulations. The Authority has invested significantly in the past on the installation and implementation of new technology infrastructures and business solutions to effectively achieve the Authority s stakeholder requirements and business goals and objectives. For instance, the rollout of a Wide Area Network (WAN), connecting five field offices in Papua New Guinea. As an ongoing effort by the Authority to improve controls, ensure an efficient use of IT systems and aligning its IT strategies with business strategies, the Authority seeks to engage a professional and qualified Auditor to conduct an independent IT audit of its IT infrastructures, systems and environment, report any significant issues and/or key findings, and make practical recommendations to address the control deficiencies and risk mitigation strategies. II. OBJECTIVE The objective of the engagement is to review and provide an opinion on the capability of the existing IT framework and controls (hardware, software, facilities, policies, procedures, practices and organizational structures) that strategically supports, add value and improve the business operations of NMSA. The engagement is aimed at helping the Authority to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes within IT. III. STANDARDS AND GUIDANCE The auditor who performs this audit is governed by the ISACA s IS auditing and IS controls standards, and code of professional ethics, which establishes fundamental ethical principles for the Auditor with regard to integrity, objectivity, independence, professional competence and due care, confidentiality, professional behavior and technical standards. IV. REQUIREMENTS FOR THE AUDITOR IV.1. GENERAL PRINCIPLES By accepting the Terms of Reference (ToR), the IT Auditor confirms that he/she meets the following conditions: The IT Auditor is a member of the international association for Information Systems Audit and Control Association or also known as ISACA. The IT Auditor is committed to undertake this engagement in accordance with ISACA s IS auditing and IS controls standards, and code of professional ethics. The IT Auditor is expected to maintain his/her professional independence throughout the course of the engagement. This means that; in all matters related to auditing, the IT auditor is to be independent of the auditee in attitude and appearance. National Maritime Safety Authority (NMSA) 2

The IT Auditor is expected to have knowledge of internal control and standards framework such as COSO, COBIT, ITIL, VaLIT and standards such as ISO 27000 series (i.e. 27001, 27002/17799, 27003 etc..) The engaging firm is to be sufficiently independent of the organization (i.e. NMSA) being audited to permit objective completion of the audit. The engaging firm must be currently registered, as required under the PNG Companies Act 1997, and must always comply with the requirements and guidelines of Investment Promotion Auditory (IPA). The engaging firm must comply with all tax requirements, as required by the Internal Revenue Commission (IRC) and must have a current operating Certificate of Compliance (CoC). IV.2. QUALIFICATIONS AND EXPERIENCE The Auditor must have experience in conducting IT Audit of internal control of entities comparable in size and complexity. The Auditor may be requested to provide evidence of similar engagement with previous clients. The Auditor must have suitable experience and adequate professional and technical qualifications with ISACA standards; in particular he/she must have at least one of the listed accreditations. Certified Information Systems Auditor (CISA). Certified Information Security Manager (CISM). Certified in the Governance for Enterprise IT (CGEIT). Certified Information System Security Professional (CISSP). Certified in Risk and Information Systems Control (CRISC). (Note: CISSP not an ISACA certification) V. SCOPE OF WORK (SoW) The engagement is intended to address the internal controls (i.e. policies, procedures, facilities, practices, organizational structures). TABLE 1: MAIN SCOPE OF WORK CATEGORY PROCESS DESCRIPTION CONTROL OBJECTIVES DEFINE A STRATEGIC IT PLAN DEFINE TECHNOLOGICAL DIRECTION DEFINE IT PROCESSES, National Maritime Safety Authority (NMSA) 3

ORGANIZATION AND RELATIONSHIPS COMMUICATE MANAGEMENT AND DIRECTION AIMS AASESS AND MANAGE IT RISKS IT GOVERNANCE ENSURE SYSTEMS SECURITY ENSURE CONTINUOUS SERVICE MANAGE SERVICE DESK AND INCIDENTS MANAGE THIRD PARTY SERVICES DEFINE AND MANAGE SERVICE LEVELS IT PROCUREMENT EDUCATE AND TRAIN USERS ENABLE OPERATIONS AND USE MANAGE THE PHYSICAL ENVIRONMENT IDENTIFY AUTOMATED SOLUTIONS ACQUIRE AND MAINTAIN TECHNOLOGY INFRASTRUCTURE ACQUIRE AND National Maritime Safety Authority (NMSA) 4

MAINTAIN APPLICATION SOFTWARE MANAGE CHANGES TABLE 2: ADDITIONAL SCOPE OF WORK IT RESOURCES NETWORK TOPOLOGY AND ARCHITECTURE IT STRATEGIC TRAINING AND SUCCESSION PLAN IT OUTSOURCING Vs IN-SOURCING VI. EXPECTED OUTCOMES Upon completion of the above Scope of Work, the IT Auditor should issue the Authority with a Final Audit Report detailing the key findings, risks and practical recommendations for improving the controls and mitigating the risks. National Maritime Safety Authority (NMSA) 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information