Chapter 2 - Governance

Question 1

Politics

Answer 1

is effectively defined as having a different agenda and often includes using deceit, lies, or willful omission.

Question 2

Govern

Answer 2

means to direct and to control the actions or conduct of others by using published rules and controls set by an authority. Executive officers are in charge of governance

Question 3

Strategy

Answer 3

is defined as “an adaptation of behavior or structure with an elaborate and systematic plan of action.”

Question 4

Corporate governance

Answer 4

is often defined as “ethical behavior of corporate executives toward shareholders, stakeholders, and protection of organizational assets to maximize the return of a financial investment.”

Question 5

Records management system (RMS)

Answer 5

will provide governance details of specific handling instructions including pre-agreed-upon authorization to immediately interrupt running systems when data classified as high value is potentially exposed.

Question 6

IT steering committee

Answer 6

is used to convey the current business requirements from business executives to the IT executive. The name of the committee is not as important as the function that it performs, and a committee may perform more than one function. What’s important is that the job of steering operations to business requirements is occurring.

Question 7

The three layers of IT scoring are:

Answer 7

Mission
Strategy
Metrics

Question 8

Types of policies

Answer 8

Advisory policy
Regulatory policy
Informational policy

Question 9

Advisory policy

Answer 9

An advisory policy explains the condition to be prevented by the policy and provides notice as to the consequences of failure. The interested party may be an employee. The subject could be acceptable use of the Internet.

Question 10

Regulatory policy

Answer 10

The term regulatory indicates that this policy is mandated by some type of law. All organizations under the jurisdiction of the regulation are expected to comply. Failure to comply will result in criminal liability.

Question 11

Informational policy

Answer 11

Informational policies inform the public of the organization’s operating policies. Examples include the customer privacy policy, the customer refund policy, and the customer exchange policy.

Question 12

Portfolio management

Answer 12

collection of assets of value (aka investments) is known as a portfolio. Examples include real estate property, treasury bonds, corporate stock ownership, gold bullion and intellectual property such as title to patent rights.

Question 13

Program management

Answer 13

refers to ongoing activities necessary to support continuous operation. The program is usually managed by an executive vice president (EVP) who will be responsible for sustaining its operation.

Question 14

Project management

Answer 14

are temporary endeavors that might operate outside of the normal organizational structure.

Question 15

Project Management Office (PMO)

Answer 15

the primary role of the PMO is to provide centralized visibility of how resources are presently being consumed so the senior executives can start, stop, or restart projects as they see fit.

Question 16

The four different suppliers in a project include:

Answer 16

Supplier of technical knowledge
Supplier of engineering (designs and prototypes)
Supplier of products
Supplier of personnel

Question 17

Initiating

Answer 17

This process starts the project or a new phase of the project. It’s all about the sponsor defining the objective, putting up the money, and authorizing the project to begin.

Question 18

Planning

Answer 18

This process group represents almost half of the PM processes. Planning is where the project scope, goals, and objectives are detailed. The focus of planning is to estimate, organize, and sequence all activities.

Question 19

Executing

Answer 19

The largest portion of resources is used during executing activities. This group of activities comprises the major work to create project deliverables.

Question 20

Closing

Answer 20

As each work package (activity) is completed, it’s time to pay vendors and put the files in an archive to close out that individual item in the project.

Question 21

Performance review

Answer 21

refers to the identification of a target to be monitored, tracked, and assigned to a responsible party and the resolution of any open issues.

Question 22

The Capability Maturity Model (CMM)

Answer 22

is a method for evaluating and measuring the maturity of governance processes in organizations. A rating scale from 0 to 5 is used. A score of zero indicates that nothing is occurring. Level 1 maturity indicates that the initial activity was successful and may later progress up to level 5, when the activity is statistically controlled for continuous improvement.

Question 23

Performance reporting

Answer 23

serves to inform executives and stakeholders as to the progress of current activities.

Question 24

COSO

Answer 24

sets the controls for monetary and banking systems.

Question 25

Transborder communication

Answer 25

Data security is the number-one concern when planning for communication crossing the border.

Question 26

Intellectual property

Answer 26

refers to data and knowledge that is not commonly known. This information possesses a commercial value. The IS auditor should understand how the organization is attempting to protect its intellectual property.

Question 27

Data integrity

Answer 27

Is to ensure that data is accurate and safely stored.

Question 28

IT governance

Answer 28

requires continuity planning for systems and data. Auditors need to be aware of multiple continuity objectives besides disaster recovery.

A short definition of IT governance is to effectively lead and monitor performance of the information technology investment. IT governance exists at three levels: strategic, tactical, and operational management.

Question 29

Self-insurance

Answer 29

means the organization is accepting the risk with full liability for any consequences. If a loss occurs, the organization will pay everything out of its own pocket.

Question 30

Business Process Reengineering (BPR)

Answer 30

is used to improve process performance by removing, combining, or replacing steps that are no longer important.

Question 31

Benchmarking

Answer 31

is the process of comparing performance data (aka metrics). It can be used to evaluate business processes that are under consideration for reengineering.

Question 32

Business impact analysis (BIA)

Answer 32

is a discovery process. Its purpose is to uncover the inner workings of any production-related process.