DM2: IT Management Flashcards
What are the five steps of a the risk management process?
1) Asset Identification
2) Evaluation of threats and vulnerabilities
3) Evaluation of impact
4) Calculation of risk
5) Evaluation/Response to Risk
any circumstance or event with potential to cause harm to an information resource (e.g., disclosure, modification of data, denial of service)
Threat
What are examples of typical IT assets?
Information/Data;
hardware;
software;
documents;
personnel
What are common classes of threats?
errors, malicious attacks, fraud, theft, equipment/software failure
What are some common types of vulnerabilities when examining IT risk?
Lack of user knowledge;
Lack of security functionality;
inadequate user awareness/education;
untested technology;
unprotected transmission of information
The controls implemented to reduce the vulnerabilities identified during the risk management process
Countermeasures or safeguards
The remaining level of risk after controls have been applied
residual risk
The acceptable level of risk defined by management
risk appetite
Level of IT risk management most concerned with the effectiveness and efficiency of IT systems and supporting infrastructure, the ability to bypass controls, loss/unavailability of key resources, and compliance
operational risk management
Level of IT risk management most concerned with project complexities and project risks
project risk management
Level of IT risk management most concerned with IT alignment with business strategy, competitors, and threats of evolving technology
strategic risk management
risk analysis method that uses words or descriptive rankings to describe risk impact and likelihood; most often used when risk level is low
qualitative risk analysis
risk analysis method where words/descriptive scales are directly associated with numeric values; used to reduce subjectivity of descriptive risks
semiquantitative risk analysis
risk analysis method using numeric values to describe the likelihood and impacts of risks; uses data from historical data, past experience, theories, testing and experiments
quantitative risk analysis
these help facilitate and foster the quality of enterprise IT policies and procedures and are part of governance maturity framework
tools, techniques, and processes (TTP)
how IT strategies, policies, and procedures and standards are maintained, used and improved over time as the organization changes
quality management
maturity model created to combine the five levels of maturity and best aligns with new software development practices (e.g., iterative development, early definition, model-based design, scalable processes, etc.)
capability maturity model integration (CMMI)
maturity model that forms an infrastructure to guide enterprises in planning and implementing an effective software process. Consists of five phases: initiating, diagnosing, establishing, acting, and learning
IDEAL model
what are the five phases of the IDEAL maturity model?
initiating, diagnosing, establishing, acting, and learning
an enterprises approach to integrating multiple assurance processes that may include internal audit, compliance, operational risk management, and incident risk management.
Governance, risk, and compliance (GRC)
process of pre-planning, scheduling, and allocating the limited IT resources to maximize efficiency in achieving enterprise objectives
IT resource management
what are some of the financial benefits of IT investment?
cost reductions and revenue increases
what are some of the NON-financial benefits of IT investment?
operations and mission performance (e.g., improved customer satisfaction, better information, shorter cycle times)
Process for determining if the organization is pursuing the best IT-related projects to achieve enterprise goals
IT Portfolio management
what are the steps needed to be taken when implementing IT portfolio management?
standardize terminology, ensure management commitment, agree on targets, plan portfolio management, specifiy criteria, define roles, organize tools and support
strategy for determining which sourcing approach each IT function can use to meet the organizational needs
sourcing strategy
what are some of the possible disadvantages of outsourcing?
costs exceeding expectation
loss of internal IT experience
loss of IT control
vendor failure
difficulty in reversing agreements
contract term issues
lack of loyalty
customer dissatisfaction
loss/leakage of data
What must an organization do when implementing cloud services in terms of governance and management of IT?
ensure IT remains aligned with the business, continue to meet objectives, security is in place, and risks are managed
Policies should be modified (or developed) to address the process of sourcing and managing/continuing cloud services.
TRUE
An organization should retain visibility into security activities of cloud (e.g., change management, vulnerability reporting, etc.)
TRUE
What should the primary objectives be of a an outsourcing governance process?
ensure continuity of service, profitability, and added value to
what are some responsibilities that should be defined in a outsourcing governance process?
-ensuring contract viability through review
- governance schedules
- relationship management
- allocation resources
- continuously evaluate performance
Governance should be preplanned and included as part of all outsourcing contracts.
TRUE
What is a critical for an IS auditor to identify when reviewing outsourcing contracts?
Right-to-audit clauses (e.g., if they can be audit, what can be audited, SLAs related to requests)
what are the three steps for developing a performance metric?
- establishing critical processes to meet requirements
- identifying specific, quantifiable outputs of work from processes
- establishing targets against which results can be scored
what are areas that IS auditors should confirm performance metrics cover?
business contribution; performance vs. strategic goals; GRC with regulations; user satisfaction; key IT processes; future activities
the process of both improving perceived service performance and improving information system productivity to the highest level possible without unnecessary additional investment in the IT infrastructure
performance optimization
what are the two critical success factors that enable performance optimization
- approval of goals by stakeholders
- acceptance of accountability for achievement of goals by management
the performance optimization methodology using an iterative, four-step process used for the control and continuous improvement of processes
PDCA (plan, do, check, act)
in PDCA, what does the “P” stand for?
Plan - establishing objectives and processes to deliver results
in PDCA, what does the “D” stand for?
Do - implement the plan
in PDCA, what does the “C” stand for?
Check - study the results and compare against expected results
in PDCA, what does the “A” stand for?
Act - request corrective actions on significant differences from actual and expected results
Technique of performance optimization that is a data-driven process analysis approach. It uses measurement-oriented strategies focused on improvement and defect reduction, where a “defect” is anything outside of expectation
Six Sigma
What is the main difference between the Six Sigma and Lean Six Sigma?
Lean six sigma eliminates unnecessary steps that dont add value
This is a process management evaluation technique that, in addition to traditional evaluations (e.g., financials), includes measures with customer satisfaction, internal processes, and the organizations ability to innovate.
IT Balanced Scorecard (IT BSC)
The thorough analysis and significant redesign of business processes and management systems to establish better performing, more responsive processes
business process reengineering (BPR)
What are the four perspectives of an effective IT BSC?
Mission (goal), Strategies (ways to achieve), Measures (ways to monitor), and Sources (whose responsible)
the planned and systematic pattern of all actions necessary to provide adequate confidence that an item or product conforms to established technical requirements; this ensures IT personnel are following prescribed procedures
Quality assurance (QA)
observation techniques and activities used to fulfill requirements for quality, such as conducting test to verify products are free of defects and meet requirements.
Quality control (QC)