2.5 Roles of various function of IT (Doshi)

Question 1

Role of the Board of Directors:

Answer 1

Primarily responsible for IT governance

Question 2

Role of the Strategy Committee:

Answer 2

(1) Advise board on IT initiative.

(2) Strategy committee generally consists of board members and specialized non-board members

Question 3

Role of the Steering Committee:

Answer 3

The IT steering committee monitors and facilitates deployment of IT resources for specific projects in support of business plans

Question 4

PRIMARY objective of the Steering Committee:

Answer 4

The role of an IT steering committee is to ensure that the IS department is in harmony with the organization’s mission and objectives. To ensure this, the committee must determine whether IS processes support the business requirements.

Question 5

IT Processes and Business Requirements:

Answer 5

For IS department to be in in harmony with the organization’s mission and objectives, the Steering committee must determine whether IS processes support the business requirements

Question 6

Role of the Project Steering Committee:

Answer 6

(1) The project steering committee is ultimately responsible for all costs and timetables of the project.
(2) The function of the steering committee is to ensure the success of the project.

Question 7

Composition of the Project Steering Committee:

Answer 7

(1) A project steering committee usually consists of a senior representative from each function that will be affected by the new system.
(2) They provide overall direction and monitors costs and project schedules and timetables.

Question 8

User Management:

Answer 8

(1) Assumes ownership of the project and the resulting system.
(2) They review and approve deliverable as they are defined and accomplished.

Question 9

System Development Management:

Answer 9

System development management provides technical support for the hardware and software environments by developing, installing and operating the requested system.

Question 10

Project Sponsor:

Answer 10

(1) The Project Sponsor is the manager in charge of the business function,
(2) the owner of the data and the owner of the system under development.
(3) Provides functional specifications through functional users is the responsibility of the project sponsor.

Question 11

Project Sponsor

Answer 11

(1) Assumes ownership of project and resulting systems.

(2) Provides functional requirements to review and approve deliverable.

Question 12

System development management:

Answer 12

provides technical support for hardware and software

Question 13

A project steering committee usually consists of

Answer 13

a senior representative from each function that will be affected by the new system. They provide overall direction and monitors costs and project schedules & timetables.

Question 14

The project steering committee is ultimately responsible for

Answer 14

all costs and timetables of the project.

Question 15

The function of the steering committee is to ensure

Answer 15

the success of the project. If there are factors or issues that potentially could affect planned results, the steering committee should escalate them.

Question 16

Sourcing Practices

Answer 16

• Sourcing practices relate to the way an organization obtains the IS function required to support the business
• Organizations can perform all IS functions in- house or outsource all functions across the globe
• Sourcing strategy should consider each IS function and determine which approach allows the IS function to meet the organization’s goals

Question 17

The IS auditor can assist an organization in moving IS functions offsite or offshore by ensuring that IS management considers the following:

Answer 17

– Legal, regulatory and tax issues
 – Continuity of operations
– Personnel
– Telecommunication issues
– Cross-border and cross-cultural issues

Question 18

Governance in outsourcing

Answer 18

• Mechanism that allows organizations to transfer the delivery of services to third parties
• Accountability remains with the management of the client organization
• Transparency and ownership of the decision- making process must reside within the purview of the client

Question 19

Third-party service delivery management

Answer 19

Every organization using the services of third parties should have a service delivery management system in place to implement and maintain the appropriate level of information security and service delivery in line with third-party service delivery agreements

• The organization should check the implementation of agreements, monitor compliance with the agreements and manage changes to ensure that the services delivered meet all requirements agreed to with the third party.

Question 20

The MOST important responsibility of a data security officer in an organization is:

A. recommending and monitoring data security policies.
B. promoting security awareness within the organization.
C. establishing procedures for IT security policies.
D. administering physical and logical access controls.

Answer 20

c?

Question 21

What is considered the MOST critical element for the successful implementation of an information security (IS) program?

A. An effective enterprise risk management (ERM) framework
B. Senior management commitment
C. An adequate budgeting process
D. Meticulous program planning

Answer 21

B?

Question 22

Five ways to use performance measures:

Answer 22

• Measure products/services
• Manage products/services
• Assure accountability
• Make budget decisions • Optimize performance

Question 23

An IS auditor should ensure that IT governance performance measures:

A. evaluate the activities of IT oversight committees.
B. provide strategic IT drivers.
C. adhere to regulatory reporting standards and definitions.
D. evaluate the IT department.

Answer 23

M

Question 24

Segregation of Duties Within IS

Answer 24

• Avoids possibility of errors or misappropriations • Discourages fraudulent acts
• Limits access to data

Question 25

Which of the following tasks may be performed by the same person in a well-controlled information processing computer center?

A. Security administration and change management
B. Computer operations and system development
C. System development and change management
D. System development and systems maintenance

Answer 25

?

Question 26

Which of the following is the MOST critical control over database administration?

A. Approval of DBA activities
B. Segregation of duties
C. Review of access logs and activities
D. Review of the use of database tools

Answer 26

?

Question 27

Control measures to enforce segregation of duties include:

Answer 27

• Transaction authorization
• Custody of assets
• Access to data
– Authorization forms
– User authorization tables

Question 28

Compensating controls for lack of segregation of duties include:

Answer 28

• Audit trails
• Reconciliation
• Exception reporting
• Transaction logs
• Supervisory reviews • Independent reviews

Question 29

When a complete segregation of duties cannot be achieved in an online system environment, which of the following functions should be separated from the others?

A. Origination
B. Authorization
C. Recording
D. Correction

Answer 29

B. Authorization

Question 30

Indicators of potential problems include:

Answer 30

• Unfavorable end-user attitudes
• Excessivecosts
• Budget overruns
• Late projects
• Highstaffturnover
• Inexperienced staff
• Frequent hardware/software errors

Question 31

The following documents should be reviewed:

Answer 31

IT strategies, plans and budgets
• Security policy documentation
• Organization/functional charts
• Job descriptions
• Steering committee reports
• System development and program change procedures
• Operations procedures
• Human resource manuals
• Quality assurance procedures

Question 32

There are various phases to computer hardware, software and IS service contracts, including:

Answer 32

• Development of contract requirements and service levels
• Contract bidding process
• Contract selection process
• Contract acceptance
• Contract maintenance
• Contract compliance

Question 33

Business continuity planning (BCP)

Answer 33

is a process designed to reduce the organization’s business risk
• A BCP is much more than just a plan for the information systems

Question 34

Corporate risks could cause an organization to suffer

Answer 34

• Inability to maintain critical customer services
• Damage to market share, reputation or brand
• Failure to protect the company assets including intellectual properties and personnel
• Business control failure
• Failure to meet legal or regulatory requirements

Question 35

Business Continuity Policy

Answer 35

Defines the extent and scope of business continuity for both internal and external stakeholders
• Should be proactive

Question 36

All types of incidents should be categorized

Answer 36

Negligible
• Minor
• Major
• Crisis

Question 37

Business Impact Analysis

Answer 37

• Critical step in developing the business continuity plan
• Three main questions to consider during BIA phase:
– What are the different business processes?
– What are the critical information resources related to an organization’s critical business processes?
– What is the critical recovery time period for information resources in which business processing must be resumed before significant or unacceptable losses are suffered?

Question 38

What is the system’s risk ranking?

Answer 38

• Critical
• Vital
• Sensitive
• Non-sensitive

Question 39

Factors to consider when developing the BC plans:

Answer 39

• Predisaster readiness covering incident response management to address all relevant incidents affecting business processes
• Evacuation procedures
• Procedures for declaring a disaster (escalation procedures)
• Circumstances under which a disaster should be declared.
• The clear identification of the responsibilities in the plan
• The clear identification of the persons responsible for each function in the plan
• The clear identification of contract information
• The step-by-step explanation of the recovery process
• The clear identification of the various resources required for recovery and continued operation of the organization

Question 40

Other Issues in BC Plan Development

Answer 40

• Management and user involvement is vital to the success of BCP
– Essential to the identification of critical systems, recovery times and resources
– Involvement from support services, business operations and information processing support
• Entire organization needs to be considered for BCP

Question 41

A business continuity plan may consist of more than one plan document

Answer 41

• Continuity of operations plan (COOP)
• Disaster recovery plan (DRP)
• Business resumption plan
• Continuity of support plan / IT contingency plan
• Crisis communications plan
• Incident response plan
• Transportation plan
• Occupant emergency plan (OEP)
• Evacuation and emergency relocation plan

Question 42

Components of the plan

Answer 42

Key decision-making personnel
• Backup of required supplies
• Insurance

Question 43

Insurance

Answer 43

– IS equipment and facilities
– Media (software) reconstruction 
– Extra expense
– Business interruption
– Valuable papers and records
– Errors and omissions
– Fidelity coverage
– Media transportation

Question 44

BC Plan Testing

Answer 44

• Schedule testing at a time that will minimize disruptions to normal operations
• Test must simulate actual processing conditions
• Test execution:
– Documentation of results
– Results analysis
– Recovery / continuity plan maintenance

Question 45

Business continuity plan must:

Answer 45

– Be based on the long-range IT plan

– Comply with the overall business continuity strategy

Question 46

Process for developing and maintaining the BCP/DRP

Answer 46

– Conduct risk assessment
– Prepare business impact analysis
– Choose appropriate controls and measures for recovering IT components to support the critical business processes
– Develop the detailed plan for recovering IS facilities (DRP).
– Develop a detailed plan for the critical business functions to continue to operate at an acceptable level (BCP).
– Test the plans
– Maintain the plans as the business changes and systems develop.

Question 47

Auditing Business Continuity

Answer 47

• Understand and evaluate business continuity strategy
• Evaluate plans for accuracy and adequacy
• Verify plan effectiveness
• Evaluateoffsitestorage
• Evaluate ability of IS and user personnel to respond effectively
• Ensure plan maintenance is in place
• Evaluate readability of business continuity manuals and procedures

Question 48

IS auditors should verify that basic elements of a well-developed plan are evident including:

Answer 48

• Currency of documents
• Effectivenessofdocuments
• Interview personnel for appropriateness and completeness

Question 49

IS auditors must review the test results to:

Answer 49

• Determine whether corrective actions are in the plan
• Evaluate thoroughness and accuracy
• Determine problem trends and resolution of problems

Question 50

An IS auditor must evaluate of Offsite Storage by

Answer 50

• Evaluate presence, synchronization and currency of media and documentation
• Perform a detailed inventory review • Review all documentation
• Evaluate availability of facility

Question 51

An IS auditor must Interview Key Personnel

Answer 51

• Key personnel must have an understanding of their responsibilities
• Current detailed documentation must be kept

Question 52

An IS auditor must Evaluation of Security at Offsite Facility

Answer 52

• Evaluate the physical and environmental access controls

* Examine the equipment for current inspection and calibration tags

Question 53

Reviewing Alternative Processing Contract

Answer 53

• An IS auditor should obtain a copy of the contract with the vendor
• The contract should be reviewed against a number of guidelines
– Contract is clear and understandable
– Organization’s agreement with the rules

Question 54

Reviewing Insurance Coverage

Answer 54

• Insurance coverage must reflect actual cost of recovery
• Coverage of the following must be reviewed for adequacy
– Media damage
– Business interruption
– Equipment replacement
– Business continuity processing