2.4 IT Balanced Score Card (Doshi)

Question 1

What is the balanced Scorecard?

Answer 1

A management tool that is used to measure the performance and effectiveness of an organization.

Question 2

Key performance indicators of the IT balanced scorecard are:

Answer 2

(1) Financial,
(2) customer,
(3) internal process,
(4) innovation and
(5) learning

Question 3

Key performance indicators of the Balanced scorecard are:

Answer 3

(1) Financial,
(2) Customer satisfaction,
(3) Internal process,
(4) Ability to innovate and learning

Question 4

Standard IT Balanced Scorecard:

Answer 4

can be used to specifically measure IT organization performance and results.

Question 5

Key perspectives of the Standard IT Balanced ScoreCard:

Answer 5

Establish, monitor and evaluate IT performance in terms of :

(1) business contribution
(2) future orientation
(3) operation excellence
(4) user orientation

Question 6

In any given scenario, three indicators of IT balanced scorecard:

Answer 6

(1) customer satisfaction
(2) internal processes and
(3) ability to innovate.

Question 7

Why should the balanced scorecard be used?

Answer 7

Because it’s the most effective means to aid the IT strategy committee and management in achieving the IT governance through proper IT and business alignment.

Question 8

Success of IT Scorecard depends on:

Answer 8

Involvement of senior management in IT strategy planning.

Question 9

Primary objective of IT balanced scorecard:

Answer 9

To optimize the performance

Question 10

What needs to be defined before implementing IT balanced scorecard?

Answer 10

Key performance indicators (KPI)

Question 11

Though financial performance is an indicator of generic balanced scorecard, it is

Answer 11

not part of IT balanced scorecard.

Question 12

In any given scenario, use of IT balanced scorecard is the most effective means to

Answer 12

aid the IT strategy committee and management in achieving the IT governance through proper IT & business alignment.

Question 13

In any given scenario, success of IT scorecard depends upon

Answer 13

involvement of senior management in IT strategy planning.

Question 14

In any given scenario, primary objective of IT balanced scorecard is

Answer 14

to optimize the performance.

Question 15

In any given scenario, key performance indicators (KPIs) need to be defined

Answer 15

before implementing IT balanced scorecard.

Question 16

Standard IT Balanced Scorecard

Answer 16

• A process management evaluation technique that can be applied to the IT governance process in assessing IT functions and processes
• Method goes beyond the traditional financial evaluation
• One of the most effective means to aid the IT strategy committee and management in achieving IT and business alignment

Question 17

Outcomes of security governance

Answer 17

• Strategic alignment—align with business strategy
• Risk management—manage and execute appropriate measures to mitigate risks
• Value delivery—optimize security investments
• Performance measurement – measure, monitor and report on information security processes
• Resource management—utilize information security knowledge and infrastructure efficiently and effectively
• Process integration – integration of management assurance processes for security

Question 18

Information security governance requires strategic direction and impetus from:

Answer 18

• Boards of directors / senior management
• Senior management
• Steering committees
• Chief information security officers

Question 19

Enterprise Architecture

Answer 19

• Involves documenting an organization’s IT assets in a structured manner to facilitate understanding, management and planning for IT investments
• Often involves both a current state and optimized future state representation

Question 20

Enterprise Architecture

Answer 20

The Basic Zachman Framework

Question 21

The Federal Enterprise Architecture (FEA) hierarchy:

Answer 21

• Performance
• Business
• Service component • Technical
• Data

Question 22

From an IS standpoint, strategic planning relates to

Answer 22

the long-term direction an organization wants to take in leveraging information technology for improving its business processes

Question 23

Effective IT strategic planning involves a consideration of the organization’s demand for IT and

Answer 23

its IT supply capacity

Question 24

The IS auditor should

Answer 24

• Pay attention to the importance of IT strategic planning
• Focus on the importance of a strategic planning process or planning framework
• Consider how the CIO or senior IT management are involved in the creation of the overall business strategy

Question 25

Which of the following would be included in an IS strategic plan? A. Specifications for planned hardware purchases B. Analysis of future business objectives C. Target dates for development projects D. Annual budgetary targets for the IS department

Answer 25

B. Analysis of future business objectives ?

Question 26

Which of the following BEST describes an IT department’s strategic planning process? A. The IT department will have either short-range or long-range plans depending on the organization’s broader plans and objectives. B. The IT department’s strategic plan must be time- and project- oriented, but not so detailed as to address and help determine priorities to meet business needs. C. Long-range planning for the IT department should recognize organizational goals, technological advances and regulatory requirements. D. Short-range planning for the IT department does not need to be integrated into the short-range plans of the organization since technological advances will drive the IT department plans much quicker than organizational plans.

Answer 26

?

Question 27

Steering Committee

Answer 27

* An organization’s senior management should appoint a planning or steering committee to oversee the IS function and its activities * A high-level steering committee for information technology is an important factor in ensuring that the IS department is in harmony with the corporate mission and objectives

Question 28

Maturity and Process Improvement Models

Answer 28

* IDEAL model * CapabilityMaturityModelIntegration(CMMI) * Team Software Process (TSP) * Personal Software Process (PSP)

Question 29

Policies and Procedures reflect management guidance and direction in developing controls over:

Answer 29

* Information systems * Related resources * IS department processes

Question 30

Policies

Answer 30

* High level documents * Must be clear and concise * Set tone for organization as a whole (top down) * Lower-level policies – defined by individual divisions and departments

Question 31

Information Security Policy

Answer 31

• Defines information security, overall objectives and scope • Is a statement of management intent • Is a framework for setting control objectives including risk management • Defines responsibilities for information security management Acceptable Use Policy

Question 32

Procedures are detailed documents that:

Answer 32

Define and document implementation policies • Must be derived from the parent policy • Must implement the spirit (intent) of the policy statement • Must be written in a clear and concise manner

Question 33

Risk Management is

Answer 33

The process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives.

Question 34

4 Processes in Risk Management

Answer 34

* Avoid * Mitigate * Transfer * Accept

Question 35

To develop a risk management PROGRAM:

Answer 35

(1) Establish the purpose of the risk management program | (2) Assign responsibility for the risk management plan

Question 36

Risk Management Process

Answer 36

(1) Identification and classification of information resources or assets that need protection (2) Assess threats and vulnerabilities and the likelihood of their occurrence (3) Once the elements of risk have been established they are combined to form an overall view of risk (4) Evaluate existing controls or design new controls to reduce the vulnerabilities to an acceptable level of risk (5) Residual risk

Question 37

IT risk management needs to operate at multiple levels including:

Answer 37

* The operational level * The project level * The strategic level

Question 38

Risk Analysis Methods

Answer 38

(1) Qualitative (2) Semiquantitative (3) Quantitative – Probability and expectancy – Annual loss expectancy method

Question 39

Risk Analysis Methods Management and IS auditors should keep in mind certain considerations:

Answer 39

* Risk management should be applied to IT functions throughout the company * Senior management responsibility * Quantitative RM is preferred over qualitative approaches * Quantitative RM always faces the challenge of estimating risks * Quantitative RM provides more objective assumptions * The real complexity or the apparent sophistication of the methods or packages used should not be a substitute for commonsense or professional diligence * Special care should be given to very high impact events, even if the probability of occurrence over time is very low

Question 40

Human Resource Management

Answer 40

* Hiring * Employee handbook * Promotion policies * Training * Scheduling and time reporting * Employee performance evaluations • Required vacations * Termination policies