2 - Governance and Management of IT Flashcards

Question 1

Q

During a risk analysis, an IS auditor identifies threats and potential impacts. Next, the IS auditor should:

A.ensure the risk assessment is aligned to management’s risk assessment process.
B.identify information assets and the underlying systems.
C.disclose the threats and impacts to management.
D.identify and evaluate the existing controls.

Answer

A

D. identify and evaluate the existing controls.

It is important for an IS auditor to identify and evaluate the existence and effectiveness of existing and planned controls so that the risk level can be calculated after the potential threats and possible impacts are identified.

Question 2

Q

After an organization completed a threat and vulnerability analysis as part of a risk assessment, the final report suggested that an intrusion prevention system (IPS) should be installed at the main Internet gateways and that all business units should be separated via a proxy firewall. Which of the following is the BEST method to determine whether the controls should be implemented?

A. A cost-benefit analysis
B. An annual loss expectancy calculation
C. A comparison of the cost of the IPS and firewall and the cost of the business systems
D. A business impact analysis

Answer

A

A. A cost-benefit analysis

In a cost-benefit analysis, the total expected purchase and operational/support costs, and a qualitative value for all actions are weighted against the total expected benefits to choose the best technical, most profitable, least expensive or acceptable risk option.

Question 3

Q

The PRIMARY benefit of implementing a security program as part of a security governance framework is the:

A. alignment of the IT activities with IS audit recommendations.
B. enforcement of the management of security risk.
C. implementation of the chief information security officer’s recommendations.
D. reduction of the cost for IT security.

Answer

A

B. enforcement of the management of security risk.

The major benefit of implementing a security program is management’s assessment of risk and its mitigation to an appropriate level, and monitoring of the residual risk.

Question 4

Q

An IS auditor reviewing the IT organization is MOST concerned if the IT steering committee:

A. is responsible for project approval and prioritization.
B. is responsible for developing the long-term IT plan.
C. reports the status of IT projects to the board of directors.
D. is responsible for determining business goals.

Answer

A

D. is responsible for determining business goals.

Determining the business goals is the responsibility of senior management and not of the IT steering committee. IT should support business goals and be driven by the business—not the other way around.

Question 5

Q

Which of the following insurance types provide for a loss arising from fraudulent acts by employees?

A. Business interruption
B. Fidelity coverage
C. Errors and omissions
D. Extra expense

Answer

A

B. Fidelity coverage

This type of insurance covers the loss arising from dishonest or fraudulent acts by employees.

Question 6

Q

Which of the following goals do you expect to find in an organization’s strategic plan?

A. Results of new software testing
B. An evaluation of information technology needs
C. Short-term project plans for a new planning system
D. Approved suppliers for products offered by the company

Answer

A

D. Approved suppliers for products offered by the company

Approved suppliers of choice for the product is a strategic business objective that is intended to focus the overall direction of the business and, thus, is a part of the organization’s strategic plan.

Question 7

Q

A business unit has selected a new accounting application and did not consult with IT early in the selection process. The PRIMARY risk is that:

A. the security controls of the application may not meet requirements.
B. the application may not meet the requirements of the business users.
C. the application technology may be inconsistent with the enterprise architecture.
D. the application may create unanticipated support issues for IT.

Answer

A

C. the application technology may be inconsistent with the enterprise architecture.

The primary focus of the enterprise architecture (EA) is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization. The EA defines both a current and future state in areas such as the use of standard platforms, databases or programming languages. If a business unit selected an application using a database or operating system that is not part of the EA for the business, this increases the cost and complexity of the solution and ultimately delivers less value to the business.

Question 8

Q

When auditing the IT governance framework and IT risk management practices that exist within an organization, the IS auditor identified some undefined responsibilities regarding IT management and governance roles. Which of the following recommendations is the MOST appropriate?

A. Review the strategic alignment of IT with the business.
B. Implement accountability rules within the organization.
C. Ensure that independent IS audits are conducted periodically.
D. Create a chief risk officer role in the organization.

Answer

A

B. Implement accountability rules within the organization.

IT risk is managed by embedding accountability into the enterprise. The IS auditor should recommend the implementation of accountability rules to ensure that all responsibilities are defined within the organization. Note that this question asks for the best recommendation—not about the finding itself.

Question 9

Q

Which of the following is an advantage of prototyping?

A. The finished system normally has strong internal controls.
B. Prototype systems can provide significant time and cost savings.
C. Change control is often less complicated with prototype systems.
D. It ensures that functions or extras are not added to the intended system.

Answer

A

B. Prototype systems can provide significant time and cost savings.

Prototype systems can provide significant time and cost savings through better user interaction and the ability to rapidly adapt to changing requirements; however, they also have several disadvantages, including loss of overall security focus, project oversight and implementation of a prototype that is not yet ready for production.

Question 10

Q

Which of the following inputs adds the MOST value to the strategic IT initiative decision-making process?

A. The maturity of the project management process
B. The regulatory environment
C. Past audit findings
D. The IT project portfolio analysis

Answer

A

D. The IT project portfolio analysis

Portfolio analysis provides the best input into the decision-making process relating to planning strategic IT initiatives. An analysis of the IT portfolio provides comparable information of planned initiatives, projects and ongoing IT services, which allows the IT strategy to be aligned with the business strategy.

Question 11

Q

An IS auditor is assigned to review IT structures and activities recently outsourced to various providers. Which of the following should the IS auditor determine FIRST?

A. An audit clause is present in all contracts.
B. The service level agreement of each contract is substantiated by appropriate key performance indicators.
C. The contractual warranties of the providers support the business needs of the organization.
D. At contract termination, support is guaranteed by each outsourcer for new outsourcers.

Answer

A

C. The contractual warranties of the providers support the business needs of the organization.

Aligns with business objectives: Ensuring that the outsourced services meet the organization’s specific needs is paramount.

Risk mitigation: By verifying that contractual warranties align with business needs, the auditor can identify potential gaps in service delivery.

Performance evaluation: Assessing the adequacy of service warranties provides a baseline for evaluating the vendor’s performance.

Question 12

Q

An IS auditor is performing a review of an organization’s governance model. Which of the following should be of MOST concern to the auditor?

A.The information security policy is not periodically reviewed by senior management.
B.A policy ensuring systems are patched in a timely manner does not exist.
C.The audit committee did not review the organization’s global mission statement.
D.An organizational policy related to information asset protection does not exist.

Answer

A

A.The information security policy is not periodically reviewed by senior management.

Data security policies should be reviewed/refreshed once every year to reflect changes in the organization’s environment. Policies are fundamental to the organization’s governance structure, and, therefore, this is the greatest concern.

Question 13

Q

Question
The MOST important point of consideration for an IS auditor while reviewing an enterprise’s project portfolio is that it:

A.does not exceed the existing IT budget.
B.is aligned with the investment strategy.
C.has been approved by the IT steering committee.
D.is aligned with the business plan.

Answer

A

D.is aligned with the business plan.

Portfolio management takes a holistic view of an enterprise’s overall IT strategy, which, in turn, should be aligned with the business strategy. A business plan provides the justification for each of the projects in the project portfolio, and that is the major consideration for an IS auditor.

Question 14

Q

A local area network (LAN) administrator normally is restricted from:

A.having end-user responsibilities.
B.reporting to the end-user manager.
C.having programming responsibilities.
D.being responsible for LAN security administration.

Answer

A

C.having programming responsibilities.

A Local area network (LAN) Administrator is a person who manages and maintains the local network infrastructure—the interconnected computers, servers, switches, and other devices that form the backbone of communication within a specific physical area, such as an office building or campus.

A local area network (LAN) administrator should not have programming responsibilities because that could allow modification of production programs without proper separation of duties, but the LAN administrator may have end-user responsibilities.

Question 15

Q

An IS auditor identifies that reports on product profitability produced by an organization’s finance and marketing departments give different results. Further investigation reveals that the product definition being used by the two departments is different. What should the IS auditor recommend?

A.User acceptance testing occurs for all reports before release into production
B.Organizational data governance practices are put in place
C.Standard software tools are used for report development
D.Management signs-off on requirements for new reports

Answer

A

B.Organizational data governance practices are put in place

This choice directly addresses the problem. An organization-wide approach is needed to achieve effective management of data assets and reporting standards. This includes enforcing standard definitions of data elements, which is part of a data governance initiative.

Question 16

Q

When implementing an IT governance framework in an organization the MOST important objective is:

A.IT alignment with the business.
B.accountability.
C.value realization with IT.
D.enhancing the return on IT investments.

Answer

A

A.IT alignment with the business.

The goals of IT governance are to improve IT performance, deliver optimum business value and ensure regulatory compliance. The key practice in support of these goals is the strategic alignment of IT with the business. To achieve alignment, all other choices need to be tied to business practices and strategies.

Question 17

Q

Question
In a review of the human resources policies and procedures within an organization, an IS auditor is MOST concerned with the absence of a:

A.requirement for periodic job rotations.
B.process for formalized exit interviews.
C.termination checklist.
D.requirement for new employees to sign a nondisclosure agreement.

Answer

A

C.termination checklist.

A termination checklist is critical to ensure the logical and physical security of an enterprise. In addition to preventing the loss of enterprise property that was issued to the employee, there is the risk of unauthorized access, intellectual property theft and even sabotage by a disgruntled former employee.

Question 18

Q

When reviewing the IT strategic planning process, an IS auditor should ensure that the plan:

A.incorporates state of the art technology.
B.addresses the required operational controls.
C.articulates the IT mission and vision.
D.specifies project management practices.

Answer

A

C.articulates the IT mission and vision.

The IT strategic plan must include a clear articulation of the IT mission and vision.

Question 19

Q

The PRIMARY control purpose of required vacations or job rotations is to:

A.allow cross-training for development.
B.help preserve employee morale.
C.detect improper or illegal employee acts.
D.provide a competitive employee benefit.

Answer

A

C.detect improper or illegal employee acts.

The practice of having another individual perform a job function is a control used to detect possible irregularities or fraud.

Question 20

Q

The PRIMARY benefit of an enterprise architecture initiative is to:

A.enable the organization to invest in the most appropriate technology.
B.ensure security controls are implemented on critical platforms.
C.allow development teams to be more responsive to business requirements.
D.provide business units with greater autonomy to select IT solutions that fit their needs.

Answer

A

A.enable the organization to invest in the most appropriate technology.

The primary focus of the enterprise architecture (EA) is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization; therefore, the goal of the EA is to help the organization to implement the technology that is most effective.

Question 21

Q

To gain an understanding of the effectiveness of an organization’s planning and management of investments in IT assets, an IS auditor should review the:

A.enterprise data model.
B.IT balanced scorecard.
C.IT organizational structure.
D.historical financial statements.

Answer

A

B.IT balanced scorecard.

IT balanced Scorecard measures customer satisfaction, internal processes and the ability to innovate. In this way, the auditor can measure the success of the IT investment and strategy.

Question 22

Q

The risk associated with electronic evidence gathering is MOST likely reduced by an email:

A.destruction policy.
B.security policy.
C.archive policy.
D.audit policy.

Answer

A

C. Archive Policy

With a policy of well-archived email records, access to or retrieval of specific email records to comply with legal requirements is possible.

Can’t be destruction because there are rules on email retention

Question 23

Q

Effective IT governance requires organizational structures and processes to ensure that:

A.risk is maintained at a level acceptable for IT management.
B.the business strategy is derived from an IT strategy.
C.IT governance is separate and distinct from the overall governance.
D.the IT strategy extends the organization’s strategies and objectives.

Answer

A

D.the IT strategy extends the organization’s strategies and objectives.

Effective IT governance requires that board and executive management extend governance to IT and provide the leadership, organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives, and that the strategy is aligned with business strategy.

Question 24

Q

Question
Which of the following BEST supports the prioritization of new IT projects?

A.Internal control self-assessment
B.Information systems audit
C.Investment portfolio analysis
D.Business risk assessment

Answer

A

C.Investment portfolio analysis

An investment portfolio analysis, which will present not only a clear focus on investment strategy but also provide the rationale for terminating nonperforming IT projects.

Question 25

Q

The MOST important element for the effective design of an information security policy is the:

A.threat landscape.
B.prior security incidents.
C.emerging technologies.
D.enterprise risk appetite.

Answer

A

D.enterprise risk appetite.

The risk appetite is the amount of risk that an entity is willing to accept in pursuit of its mission to meet its strategic objectives. The purpose of the information security policy is to manage information risk to an acceptable level, so that the policy is principally aligned with the risk appetite.

Not threat landscape because this can change over time

Question 26

Q

From an IT governance perspective, what is the PRIMARY responsibility of the board of directors? To ensure that the IT strategy:

A.is cost-effective.
B.is future thinking and innovative.
C.is aligned with the business strategy.
D.has the appropriate priority level assigned.

Answer

A

C.is aligned with the business strategy.

The board of directors is responsible for ensuring that the IT strategy is aligned with the business strategy.

Question 27

Q

An IS auditor of a large organization is reviewing the roles and responsibilities of the IT function and finds some individuals serving multiple roles. Which one of the following combinations of roles should be of GREATEST concern for the IS auditor?

A.Network administrators are responsible for quality assurance.
B.System administrators are application programmers.
C.End users are security administrators for critical applications.
D.Systems analysts are database administrators.

Answer

A

B.System administrators are application programmers.

This represents a separation-of-duties problem. System administrators should not be application programmers, due to the associated rights of both functions. A person with both system and programming rights can do almost anything on a system, including creating a back door.

Question 28

Q

An IS auditor has been assigned to review an organization’s information security policy. Which of the following issues represents the HIGHEST potential risk?

A.The policy has not been updated in more than one year.
B.The policy includes no revision history.
C.The policy is approved by the security administrator.
D.The company does not have an information security policy committee.

Answer

A

C.The policy is approved by the security administrator.

The position of security administrator is typically a staff-level position (not management), and therefore does not have the authority to approve the policy. In addition, an individual in a more independent position should also review the policy. Without proper management approval, enforcing the policy may be problematic, leading to compliance or security issues.

Question 29

Q

A financial enterprise has had difficulties establishing clear responsibilities between its IT strategy committee and its IT steering committee. Which of the following responsibilities would MOST likely be assigned to its IT steering committee?

A.Approving IT project plans and budgets
B.Aligning IT to business objectives
C.Advising on IT compliance risk
D.Promoting IT governance practices

Answer

A

A.Approving IT project plans and budgets

An IT steering committee typically has a variety of responsibilities, including approving IT project plans and budgets.

Issues related to business objectives, risk and governance are responsibilities that are generally assigned to an IT strategy committee, because it provides insight and advice to the board.

Question 30

Q

When reviewing the development of information security policies, the PRIMARY focus of an IS auditor should be on assuring that these policies:

A.are aligned with globally accepted industry good practices.
B.are approved by the board of directors and senior management.
C.strike a balance between business and security requirements.
D.provide direction for implementing security procedures.

Answer

A

C.strike a balance between business and security requirements.

Because information security policies must be aligned with an organization’s business and security objectives, this is the primary focus of the IS auditor when reviewing the development of information security policies.

Question 31

Q

Question
Which of the following is of MOST interest to an IS auditor reviewing an organization’s risk strategy?

A.All risk is mitigated effectively.
B.Residual risk is zero after control implementation.
C.All likely risk is identified and ranked.
D.The organization uses an established risk framework.

Answer

A

C.All likely risk is identified and ranked.

Risk that is likely to impact the organization should be identified and documented as part of the risk strategy. Without knowing the risk, there is no risk strategy.

Question 32

Q

While reviewing a quality management system, the IS auditor should PRIMARILY focus on collecting evidence to show that:

A.quality management systems comply with good practices.
B.continuous improvement targets are being monitored.
C.standard operating procedures of IT are updated annually.
D.key performance indicators are defined.

Answer

A

B.continuous improvement targets are being monitored.

Continuous and measurable improvement of quality is the primary requirement to achieve the business objective for the quality management system (QMS).

Question 33

Q

What is the primary focus of an IT steering committee?

Answer

A

Overseeing the day-to-day operations of the IT department and ensuring alignment with business strategy.

Question 34

Q

What is the primary focus of an IT strategy committee?

Answer

A

Developing and maintaining the long-term IT strategy for the organization.

Question 35

Q

Which committee is responsible for prioritizing IT projects based on business needs

Answer

A

IT Steering Committee

Question 36

Q

Which committee is typically composed of senior executives and board members?

Answer

A

IT Strategy Committee

Question 37

Q

A top-down approach to the development of operational policies helps to ensure:

A.that they are consistent across the organization.
B.that they are implemented as a part of risk assessment.
C.compliance with all policies.
D.that they are reviewed periodically.

Answer

A

Deriving lower-level policies from corporate policies (a top-down approach) aids in ensuring consistency across the organization and consistency with other policies.

Question 38

Q

What are the pros and cons of a top down approach?

Answer

A

Pros:

Clear direction and focus
Faster decision-making
Effective in crisis situations

Cons:

Limited employee input: Can stifle creativity and innovation.
Potential for decreased morale: Employees may feel disengaged if not involved in decision-making.
Risk of overlooking valuable insights from frontline employees.

Question 39

Q

What are the pros and cons of a bottom-up approach?

Answer

A

Pros:

Increased employee engagement and morale: Employees feel valued and empowered.
Generates innovative ideas and solutions
Improves decision quality: Incorporates diverse perspectives and insights.

Cons:

Slower decision-making process
Potential for conflicting ideas and priorities
Requires strong leadership to guide the process and make final decisions.

Question 40

Q

Which of the following should be of GREATEST concern to an IS auditor when reviewing an information security policy? The policy:

A.is driven by an IT department’s objectives.
B.is published, but users are not required to read the policy.
C.does not include information security procedures.
D.has not been updated in over a year.

Answer

A

A.is driven by an IT department’s objectives.

Business objectives drive the information security policy, and the information security policy drives the selection of IT department objectives. A policy driven by IT objectives is at risk of not being aligned with business goals.

Question 41

Q

During an audit, the IS auditor discovers that the human resources (HR) department uses a cloud-based application to manage employee records. The HR department engaged in a contract outside of the normal vendor management process and manages the application on its own. Which of the following is of GREATEST concern?

A.Maximum acceptable downtime metrics have not been defined in the contract.
B.The IT department does not manage the relationship with the cloud vendor.
C.The help desk call center is in a different country, with different privacy requirements.
D.Organization-defined security policies are not applied to the cloud application.

Answer

A

D.Organization-defined security policies are not applied to the cloud application.

Cloud applications should adhere to the organization-defined security policies to ensure that the data in the cloud are protected in a manner consistent with internal applications. These include, but are not limited to, the password policy, user access management policy and data classification policy.

Question 42

Q

Which of the following is MOST critical for the successful implementation and maintenance of a security policy?

A.Assimilation of the framework and intent of a written security policy by all appropriate parties
B.Management support and approval for the implementation and maintenance of a security policy
C.Enforcement of security rules by providing punitive actions for any violation of security rules
D.Stringent implementation, monitoring and enforcing of rules by the security officer through access control software

Answer

A

A.Assimilation of the framework and intent of a written security policy by all appropriate parties

While management support is crucial, it’s the understanding and acceptance of the policy by those who must implement and adhere to it that truly drives success. Without this assimilation, even with strong management backing, the policy’s effectiveness can be compromised.

Question 43

Q

In reviewing the IT short-range (tactical) plan, an IS auditor should determine whether:

A.there is an integration of IT and business personnel within projects.
B.there is a clear definition of the IT mission and vision.
C.a strategic information technology planning scorecard is in place.
D.the plan correlates business objectives to IT goals and objectives.

Answer

A

A.there is an integration of IT and business personnel within projects.

Tactical plans - focus on immediate actions needed to achieve strategic goals.
By working together, IT and business teams can identify and address potential issues, optimize resource allocation, and improve overall project success.

Question 44

Q

Which of the following is the BEST way to ensure that organizational policies comply with legal requirements?

A. Inclusion of a blanket legal statement in each policy
B.Periodic review by subject matter experts
C.Annual sign-off by senior management on organizational policies
D.Policy alignment to the most restrictive regulations

Answer

A

B.Periodic review by subject matter experts

Periodic review of policies by personnel with specific knowledge of regulatory and legal requirements best ensures that organizational policies are aligned with legal requirements.

Question 45

Q

What is an IT balanced scorecard?

Answer

A

Like the dashboard on a car.

It’s a tool that helps you measure how well your IT team is performing.

Instead of just focusing on numbers (like how much money you’re spending), it also considers how customers feel about your IT services, how efficient your IT processes are, and how well your IT team is learning and growing.

Question 46

Q

Involvement of senior management is MOST important in the development of:

A.strategic plans.
B.IT policies.
C.IT procedures.
D.standards and guidelines.

Answer

A

A.strategic plans.

These provide the basis for ensuring that the enterprise meets its goals and objectives. Involvement of senior management is critical to ensuring that the plan adequately addresses the established goals and objectives.

Question 47

Q

What is the role of BoD, Senior Management, and the IT steering committee in an organization?

Answer

A

Board of Directors (CAPTAIN): Sets the overall course. Oversees the policies and procedures.
Senior Management (FIRST OFFICER): Executes the course. Executes the strategic plan. They also report to the board.
Steering Committee (NAVIGATOR): Navigates specific journeys within that course. They oversee specific projects.

Question 48

Q

Errors in audit procedures PRIMARILY impact which of the following risk types?

A.Detection risk
B.Inherent risk
C.Control risk
D.Business risk

Answer

A

A.Detection risk

This is the probability that the audit procedures may fail to detect existence of a material error or fraud.

Question 49

Q

What is detection risk?

Answer

A

Simple terms: The risk that auditors or other reviewers won’t find mistakes or problems.

Example: The risk of auditors missing errors in financial statements during an audit.

Question 50

Q

What is Control Risk?

Answer

A

Simple terms: The risk that internal controls (rules and procedures) won’t catch or prevent problems.

Example: The risk of employees not following proper security protocols, leading to a data breach.

Question 51

Q

What is inherent Risk?

Answer

A

Simple terms: The risk that naturally exists without any safeguards in place.

Example: The risk of a natural disaster damaging a company’s physical location.

Question 52

Q

What is Business Risk?

Answer

A

Simple terms: The overall risk to an organization’s ability to achieve its goals.

Example: The risk of losing market share to competitors or economic downturns.

Question 53

Q

Question
Which of the following user profiles should be of MOST concern to an IS auditor when performing an audit of an electronic funds transfer (EFT) system?

A.Three users with the ability to capture and verify their own messages
B.Five users with the ability to capture and send their own messages
C.Five users with the ability to verify other users and to send their own messages
D.Three users with the ability to capture and verify the messages of other users and to send their own messages

Answer

A

A.Three users with the ability to capture and verify their own messages

The ability of one individual to capture and verify their own messages represents an inadequate segregation because messages can be taken as correct and as if they had already been verified. The verification of messages should not be allowed by the person who sent the message

Question 54

Q

An IS auditor found that the enterprise architecture (EA) recently adopted by an organization has an adequate current-state representation. However, the organization has started a separate project to develop a future-state representation. The IS auditor should:

A.recommend that this separate project be completed as soon as possible.
B.report this issue as a finding in the audit report.
C.recommend the adoption of the Zachmann framework.
D.re-scope the audit to include the separate project as part of the current audit.

Answer

A

B.report this issue as a finding in the audit report.

It is critical for the EA to include the future state because the gap between the current state and the future state will determine IT strategic and tactical plans. If the EA does not include a future-state representation, it is not complete, and this issue should be reported as a finding.

Question 55

Q

When reviewing an organization’s strategic IT plan, an IS auditor should expect to find:

A.an assessment of the fit of the organization’s application portfolio with business objectives.
B.actions to reduce hardware procurement cost.
C.a listing of approved suppliers of IT contract resources.
D.a description of the technical architecture for the organization’s network perimeter security.

Answer

A

A.an assessment of the fit of the organization’s application portfolio with business objectives.

This assessment drives the demand side of IT planning and should convert into a set of strategic IT intentions. Further assessment can then be made of how well the overall IT organization, encompassing applications, infrastructure, services, management processes, etc. can support the business objectives. The purpose of an IT strategic plan is to set out how IT will be used to achieve or support an organization’s business objectives.

Question 56

Q

Question
A benefit of open system architecture is that it:

A.facilitates interoperability within different systems.
B.facilitates the integration of proprietary components.
C.will be a basis for volume discounts from equipment vendors.
D.allows for the achievement of more economies of scale for equipment.

Answer

A

A.facilitates interoperability within different systems.

Open-faced system architecture is like building a computer with interchangeable parts. It means a system is designed using open standards, allowing different components from various manufacturers to work together seamlessly.

It is also more cost-effective

Question 57

Q

An enterprise is looking to obtain cloud hosting services from a cloud vendor with a high level of maturity. Which of the following is MOST important for the auditor to ensure continued alignment with the enterprise’s security requirements?

A.The vendor provides the latest third-party audit report for verification.
B.The vendor provides the latest internal audit report for verification.
C.The vendor agrees to implement controls in alignment with the enterprise.
D.The vendor agrees to provide annual external audit reports in the contract.

Answer

A

D.The vendor agrees to provide annual external audit reports in the contract.

The question said ‘CONTINUE’

Independent verification: External audit reports provide an unbiased assessment of the vendor’s security controls and practices.

Ongoing monitoring: Annual audits ensure that the vendor maintains security standards over time.

Risk mitigation: By requiring these reports, the organization can identify and address potential risks associated with the vendor.

Question 58

Q

On which of the following factors should an IS auditor PRIMARILY focus when determining the appropriate level of protection for an information asset?

A.Results of a risk assessment
B.Relative value to the business
C.Results of a vulnerability assessment
D.Cost of security controls

Answer

A

A.Results of a risk assessment

The appropriate level of protection for an asset is determined based on the risk associated with the asset. The results of the risk assessment are, therefore, the primary information that the IS auditor should review.

Question 59

Q

Question
An organization has contracted with a vendor for a turnkey solution for their electronic toll collection system (ETCS). The vendor has provided its proprietary application software as part of the solution. The contract should require that:

A.a backup server is available to run ETCS operations with up-to-date data.
B.a backup server is loaded with all relevant software and data.
C.the systems staff of the organization is trained to handle any event.
D.source code of the ETCS application is placed in escrow.

Answer

A

D.source code of the ETCS application is placed in escrow.

Whenever proprietary application software is purchased, the contract should provide for a source code escrow agreement. This agreement ensures that the purchasing organization has the opportunity to modify the software should the vendor cease to be in business.

Question 60

Q

An IS auditor is evaluating a newly developed IT policy for an organization. Which of the following factors does the IS auditor consider MOST important to facilitate compliance with the policy upon its implementation?

A.Existing IT mechanisms enabling compliance
B.Alignment of the policy to the business strategy
C.Current and future technology initiatives
D.Regulatory compliance objectives defined in the policy

Answer

A

A.Existing IT mechanisms enabling compliance

Question says ‘to facilitate compliance with the policy’.

The organization should be able to comply with a policy when it is implemented. The most important consideration when evaluating the new policy should be the existing mechanisms in place that enable the organization and its employees to comply with the policy.

Question 61

Q

Which of the following does an IS auditor consider the MOST relevant to short-term planning for an IT department?

A.Allocating resources
B.Adapting to changing technologies
C.Conducting control self-assessments
D.Evaluating hardware needs

Answer

A

A.Allocating resources

The IT department should specifically consider the manner in which resources are allocated in the short term. The IS auditor ensures that the resources are being managed adequately.

Question 62

Q

An enterprise hosts its data center onsite and has outsourced the management of its key financial applications to a service provider. Which of the following controls BEST ensures that the service provider’s employees adhere to the security policies?

A.Sign-off is required on the enterprise’s security policies for all users.
B.An indemnity clause is included in the contract with the service provider.
C.Mandatory security awareness training is implemented for all users.
D.Security policies should be modified to address compliance by third-party users.

Answer

A

B.An indemnity clause is included in the contract with the service provider.

Having the service provider sign an indemnity clause will ensure compliance to the enterprise’s security policies, because any violations discovered will lead to a financial liability for the service provider. This will also prompt the enterprise to monitor security violations closely.

Question 63

Q

Question
The ultimate purpose of IT governance is to:

A.encourage optimal use of IT.
B.reduce IT costs.
C.decentralize IT resources across the organization.
D.centralize control of IT.

Answer

A

A.encourage optimal use of IT.

IT governance is intended to specify the combination of decision rights and accountability that is best for the enterprise. It is different for every enterprise.

Question 64

Q

Which of the following is the MOST important IS audit consideration when an organization outsources a customer credit review system to a third-party service provider? The provider:

A.claims to meet or exceed industry security standards.
B.agrees to be subject to external security reviews.
C.has a good market reputation for service and experience.
D.complies with security policies of the organization.

Answer

A

B.agrees to be subject to external security reviews.

It is critical that an independent security review of an outsourcing vendor be obtained, because customer credit information will be kept with the vendor.

Answer 65

A

B.Approved policies

Policies are high-level documents that represent the corporate philosophy of an organization. Internal standards, procedures and practices are subordinate to policy.

Answer 66

A

Policies set the overall direction.
Standards provide specific technical guidelines.
Procedures outline the exact steps to be taken.
Practices are the actual actions performed, whether documented or not.

Answer 67

A

B.The basis for access control authorization

An information security policy should outline the fundamental principles for granting and managing access to systems and data, ensuring that only authorized individuals can access sensitive information.

While options A, C, and D are important elements of a security program, they are more specific details that should be included within the broader framework established by the access control policy.

Answer 68

A

B.Agreed-on key performance metrics

By measuring performance against specific, agreed-upon metrics, an IS auditor can effectively assess whether the vendor is delivering the contracted level of service.

Answer 69

A

A.performance measurement.

Performance measurement involves setting key performance indicators (KPIs) to track IT costs, benefits, and risks. By measuring these metrics, organizations can gain insights into IT’s contribution to the business, identify areas for improvement, and make data-driven decisions.

Answer 70

A

A.requirement for protecting confidentiality of information can be compromised.

Many countries have enacted regulations to protect the confidentiality of information maintained in their countries and/or exchanged with other countries. When a service provider outsources part of its services to another service provider, there is a potential risk that the confidentiality of the information will be compromised.

Answer 71

A

A.Controls are eliminated as part of the streamlining BPR effort.

BPR is like completely rethinking how you make something. It’s about looking at your business processes from scratch and finding radically different ways to do things. The goal is to dramatically improve efficiency, reduce costs, and increase customer satisfaction.

This is the primary concern because eliminating controls can lead to significant risks, such as increased fraud, errors, or inefficiencies. The auditor must ensure that any process improvements do not compromise the organization’s control environment.

Answer 72

A

D.Establish regular IT risk management meetings to identify and assess risk and create a mitigation plan as input to the organization’s risk management.

Establishing regular IT risk management meetings is the best way to identify and assess IT-related risk in a medium-sized organization, to address responsibilities to the respective management and to keep the risk register and mitigation plans up to date.

Answer 73

A

A.Core activities that provide a differentiated advantage to the organization have been outsourced.

An organization’s core activities generally should not be outsourced because they are what the organization does best; an IS auditor observing that condition should be concerned.

Answer 74

A

A.Senior management has limited involvement.

To ensure that the IT governance framework is effectively in place, senior management must be involved and aware of roles and responsibilities. Therefore, it is most essential to ensure the involvement of senior management when evaluating the soundness of IT governance.

Answer 75

A

C. Select projects according to business benefits and risk.

Prioritization of projects on the basis of their expected benefit(s) to business, and the related risk, is the best measure for achieving alignment of the project portfolio to an organization’s strategic priorities.

Answer 76

A

B.define key performance indicators.

Because a balanced scorecard (BSC) is a way to measure performance, a definition of key performance indicators is required before implementing an IT BSC.

Answer 77

A

D.IT risk is presented in business terms.

For risk management to be effective, it is necessary to align IT risk with business objectives. This can be done by adopting acceptable terminology that is understood by all, and the best way to achieve this is to present IT risk in business terms.

Answer 78

A

D.the steering committee.

The steering committee, being responsible for strategic direction and resource allocation, is best positioned to establish the overall risk appetite for the organization. It represents a balance between business objectives and risk tolerance.

Answer 79

A

C.ownership of intellectual property.

The contract must specify who owns the intellectual property (i.e., information being processed and application programs). Ownership of intellectual property is a significant cost and is a key aspect to be defined in an outsourcing contract.

Answer 80

A

C.Inability to specify purpose and usage patterns

By clearly defining the purpose and expected usage patterns of the DSS upfront, developers can design a system that effectively meets the needs of decision-makers. If these aspects are not clear, the system might be misaligned with user needs and expectations, leading to implementation failure.

Answer 81

A

a DSS helps you make better decisions by giving you the right information at the right time.

Answer 82

A

B.board of directors.

IT governance is primarily the responsibility of the executives and shareholders (as represented by the board of directors).

Answer 83

A

C.effective support of an executive sponsor.

The executive sponsor is in charge of supporting the organization’s strategic security program and aids in directing the organization’s overall security management activities. Therefore, support by the executive level of management is the most critical success factor.

Answer 84

A

D.A risk analysis

By conducting a thorough risk analysis, an organization can identify potential threats, vulnerabilities, and impacts associated with the new technology. This information is crucial for making informed decisions, developing mitigation strategies, and ensuring business continuity.

The other options (cost analysis, security risk, and compatibility) are important considerations, but they are components of a broader risk analysis.

Answer 85

A

A.this lack of knowledge may lead to unintentional disclosure of sensitive information.

All employees should be aware of the enterprise’s information security policy to prevent unintentional disclosure of sensitive information. Training is a preventive control. Security awareness programs for employees can prevent unintentional disclosure of sensitive information to outsiders.

Answer 86

A

A.provide strategic direction.

Corporate governance is fundamentally about ensuring that an organization is directed and controlled in a way that adds value to shareholders and other stakeholders. Providing strategic direction is the core function of this process.

The other options are important aspects of corporate governance but are not the primary objective.

Answer 87

A

C.Request that senior management accept the risk.

By formally requesting that senior management acknowledge and accept the increased risk associated with the reduced security investment, the IS auditor is:

Highlighting the potential consequences: This action brings the risk into sharp focus for management.

Shifting responsibility: The auditor is clearly placing the decision to accept the risk squarely on management’s shoulders.

Documenting the issue: This creates a formal record of the situation, which can be important for future reference and potential legal implications.

The other options might be considered as part of a broader risk mitigation strategy, but they do not directly address the core issue of inadequate security investment.

Answer 88

A

B.Risk transfer

This typically addresses financial risk. For instance, an insurance policy is commonly used to transfer financial risk, while compliance risk continues to exist.

Answer 89

A

C.Approving and monitoring the status of IT plans and budgets

The IT steering committee typically serves as a general review board for major IT projects and should not become involved in routine operations; therefore, one of its functions is to approve and monitor major projects, such as the status of IT plans and budgets.

Answer 90

A

C.apply a qualitative approach.

The common practice when it is difficult to calculate the financial losses is to take a qualitative approach, in which the manager affected by the risk defines the impact in terms of a weighted factor (e.g., one is a very low impact to the business and five is a very high impact).

Answer 91

A

B.long- and short-term plans.

To ensure its contribution to the realization of an organization’s overall goals, the IT department should have long- and short-range plans that are consistent with the organization’s broader and strategic plans for attaining its goals.

Answer 92

A

C.Unauthorized users may have access to modify data.

An inadequate policy definition for ownership of data and systems means there is a lack of clarity about who is responsible for what data. This ambiguity can lead to situations where unauthorized individuals have access to modify data, potentially resulting in data breaches, loss, or corruption.

The other options are important considerations, but they are more related to the consequences of inadequate ownership rather than the core risk itself.

Answer 93

A

D.can support the organization in the long term.

The long-term financial viability of a vendor is essential for deriving maximum value for the organization—it is more likely that a financially sound vendor would be in business for a long period of time and thereby more likely to be capable of providing long-term support for the purchased product.

Answer 94

A

C.understanding the responsibilities and authority of individuals.

An organizational chart provides information about the responsibilities and authority of individuals in the organization. This helps an IS auditor to know if there is a proper segregation of functions.

Answer 95

A

QMS is a roadmap for consistent quality. It’s a structured approach to doing things right the first time and consistently.

Imagine you’re baking a cake. A QMS is the recipe, the equipment, and the process you follow to ensure every cake tastes delicious.

Answer 96

A

It’s a process of identifying possible dangers or threats, understanding their impact, and figuring out how to handle them.

Think of it as a safety check for your plans.

Answer 97

A

B.Goals and metrics

These ensure that IT goals are set based on business goals, and they are the best enablers of strategic alignment.

Answer 98

A

D.Top management mediates between the imperatives of business and technology.

This is an IT strategic alignment good practice.

Answer 99

A

C.security policy decisions.

The risk management process is about making specific, security-related decisions, such as the level of acceptable risk.

Answer 100

A

B.Identifying organizational strategies

The key objective of an IT governance program is to support the business; therefore, the identification of organizational strategies is necessary to ensure alignment between IT and corporate governance. Without identification of organizational strategies, the remaining choices—even if implemented—would be ineffective.

Answer 101

A

A.The contract does not contain a right-to-audit clause for the third party.

Lack of a right-to-audit clause in the contract impacts the IS auditor’s ability to perform the IS audit. Hence, the IS auditor is most concerned with such a situation. In the case of outsourcing to a private network, the organization should ensure that the third party has a minimum set of IT security controls in place and that they are operating effectively.

Answer 102

A

A.Potential loss

The best basis for asset classification is an understanding of the total losses a business may incur if the asset is compromised. Typically, estimating these losses requires a review of criticality and sensitivity beyond financial cost, such as operational and strategic.

Answer 103

A

B.Defining a security policy

Defining a security policy for information and related technology is the first step toward building a security architecture. A security policy communicates a coherent security standard to users, management and technical staff. Security policies often set the stage in terms of the tools and procedures that are needed for an organization.

Answer 104

A

Shared goals and metrics unify the separate business and IT functions under 1 strategy.

Answer 105

A

Strategic alignment is about making sure IT is heading in the right direction.
Value delivery is about how do we achieve the strategy?

Answer 106

A

The potential for data breaches and unauthorized access due to the involvement of an external service provider.

Answer 107

A

Because a breach of confidential information can lead to significant financial loss, reputational damage, and legal consequences, while the inability to audit a service provider might impact internal process efficiency but not necessarily result in direct financial or reputational harm.

Brainscape's Knowledge GenomeTM

2 - Governance and Management of IT Flashcards

PASS THE CISA

Brainscape's Knowledge Genome^TM