Class 4 - Information System Strategy

Question 1

What are information systems crucial for?

Answer 1

Support, sustainability and growth of enterprises

Question 2

What are some threats that organizations face with IS aside from near complete dependence on them for functional and operational activities?

Answer 2

IS resource abuse
Cybercrime
Fraud
Errors and omissions

Question 3

What are IS strategic processes?

Answer 3

Necessary components within the organization’s governance structure that provide reasonable assurance that existing and emerging business goals will be attained

Question 4

Senior management should appoint a ___________ to oversee the IT function and its activities

Answer 4

IT steering committee

Question 5

Who should be appointed to an IT steering committee?

Answer 5

Representatives from senior management, each line of business, corporate departments (HR and finance) and the IT department

Question 6

Where are the IT steering committee’s duties and responsibilities defined?

Answer 6

In a formal charter

Question 7

What do members of an IT steering committee need to know?

Answer 7

IT department policies, procedures and practices

Question 8

What is the purpose of an IT steering committee?

Answer 8

To serve as a general review board for major IS projects. (should not become involved in routine operations)

Question 9

Why do large IT projects require economic justification?

Answer 9

Because they require large amounts of capital and capital is limited

Because selecting one project often means foregoing others

Because they often involve changes in business processes that will affect substantial portions of the organization

Because good governance requires that all significant investments be justified

Question 10

Many organizations find it _______ to evaluate IT projects using __________________

Answer 10

Difficult
Traditional techniques

Question 11

What are some questions that the economic justification for IT initiatives should answer?

Answer 11

Why are we doing this project?
How does it address key business issues?
How much will it cost and how long will it take?
What is the ROI and payback period?
What are the risks of doing the project?
What are the risks of not doing the project?
What are the alternatives?
How will success be measured?

Question 12

What needs to be done to fully understand the financial implications of a project proposal?

Answer 12

Determine the relevant time frame for costs and benefits
Select appropriate discount rates to apply
Prepare capital budgeting financial metrics
Assess the sensitivity of results to the assumptions

Question 13

How to calculate payback period?

Answer 13

Initial investment/ increased cash flow per period

It represents the number of periods needed to recover the project’s initial investment

Question 14

__________ and __________ both compare the costs with benefits of an IT project

Answer 14

Payback period and breakeven analysis

Question 15

What are the capital budgeting financial metrics?

Answer 15

Net present value - sum of the PV of all cash inflows - sum of PV of all cash outflows

IRR - discount rate that makes the project’s NPV = 0

ROI - how much money company will gain given cash flows and terms of investment

Question 16

In capital budgeting you need to test sensitivity to changes in ___________

Answer 16

Assumptions

Question 17

When you prepare the value proposition you assemble the analysis for each alternative IT initiative and recommend the preferred alternatives. What 5 questions should you focus on?

Answer 17

1. The change and technology proposed
2. The anticipated benefits (related to KSFs)
3. The group(s) within the firm that will benefit
4. The timing of the benefits
5. The likelihood of achieving those benefits as planned

Question 18

Policies and procedures reflect management _________ and _________ over IS, related resources, and IT department processes

Answer 18

Guidance and direction

Question 19

Explain what policies are

Answer 19

High-level documents that represent the corporate philosophy of an organization

Must be clear and concise

Create a positive control environment by formulating, documenting and controlling employee actions

Need to be fully explained to the affected employees and understand their intent

Question 20

Policies are part of _____ scope and need to be ________ ________ ________

Answer 20

Policies are part of audit scope and need to be tested for compliance

Auditor needs to consider how policies apply to the third parties or outsourcers and review conflicts if any

Question 21

Provide examples of policies

Answer 21

Data classification - describes classification, levels of control at each classification, responsibilities of all potential users

Acceptable use - includes information of all information resources (hardware, software, networks, internet, phones) and states permissions for usage

End-user computing - describes parameters and usage of desktop, mobile computers and other tools by users

Access control - describes the method for defining and granting access to users of various IT resources

Question 22

Describe procedures

Answer 22

Procedures are documented, defined steps for achieving policy objectives

Must be derived from the parent policy and implement the spirit (intent)

Must be clear and concise to be properly understood

Are more dynamic and reflect regular changes in business

Question 23

What is risk management?

Answer 23

The process of identifying vulnerabilities and threats to information resources

and deciding what safeguards if any, to take in reducing the risk to an appropriate level

based on the value of the information resource to the organization

It starts with a clear understanding of the organizational appetite for risk

Question 24

What are the 4 strategies for risk management?

Answer 24

Avoid - not implement certain activities or processes that incur risk

Mitigate - lessen probability or impact by defining, implementing and monitoring appropriate controls

Share - share risk with partners, transfer via insurance coverage, or contractual agreement

Accept - formally acknowledge existence of risk and monitor it

Question 25

What are the steps in the risk management process?

Answer 25

1. asset identification
2. evaluation of threats and vulnerabilities
3. evaluation of the impact
4. calculation of risk (probability of occurrence * magnitude of impact)
5. evaluation and response to risk

Question 26

In summary, the risk management process should ….

Answer 26

Achieve a cost-effective balance between application of security controls as safeguards and the significant threats

Question 27

IS management practices for HR deparment

Answer 27

hiring
employee handbook
promotion policies
training
scheduling and time reporting
performance evaluation
required vacation
termination policies