DM2: IT Management Flashcards

1
Q

What are the five steps of a the risk management process?

A

1) Asset Identification
2) Evaluation of threats and vulnerabilities
3) Evaluation of impact
4) Calculation of risk
5) Evaluation/Response to Risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

any circumstance or event with potential to cause harm to an information resource (e.g., disclosure, modification of data, denial of service)

A

Threat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are examples of typical IT assets?

A

Information/Data;
hardware;
software;
documents;
personnel

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are common classes of threats?

A

errors, malicious attacks, fraud, theft, equipment/software failure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are some common types of vulnerabilities when examining IT risk?

A

Lack of user knowledge;
Lack of security functionality;
inadequate user awareness/education;
untested technology;
unprotected transmission of information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The controls implemented to reduce the vulnerabilities identified during the risk management process

A

Countermeasures or safeguards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The remaining level of risk after controls have been applied

A

residual risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The acceptable level of risk defined by management

A

risk appetite

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Level of IT risk management most concerned with the effectiveness and efficiency of IT systems and supporting infrastructure, the ability to bypass controls, loss/unavailability of key resources, and compliance

A

operational risk management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Level of IT risk management most concerned with project complexities and project risks

A

project risk management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Level of IT risk management most concerned with IT alignment with business strategy, competitors, and threats of evolving technology

A

strategic risk management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

risk analysis method that uses words or descriptive rankings to describe risk impact and likelihood; most often used when risk level is low

A

qualitative risk analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

risk analysis method where words/descriptive scales are directly associated with numeric values; used to reduce subjectivity of descriptive risks

A

semiquantitative risk analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

risk analysis method using numeric values to describe the likelihood and impacts of risks; uses data from historical data, past experience, theories, testing and experiments

A

quantitative risk analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

these help facilitate and foster the quality of enterprise IT policies and procedures and are part of governance maturity framework

A

tools, techniques, and processes (TTP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

how IT strategies, policies, and procedures and standards are maintained, used and improved over time as the organization changes

A

quality management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

maturity model created to combine the five levels of maturity and best aligns with new software development practices (e.g., iterative development, early definition, model-based design, scalable processes, etc.)

A

capability maturity model integration (CMMI)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

maturity model that forms an infrastructure to guide enterprises in planning and implementing an effective software process. Consists of five phases: initiating, diagnosing, establishing, acting, and learning

A

IDEAL model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

what are the five phases of the IDEAL maturity model?

A

initiating, diagnosing, establishing, acting, and learning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

an enterprises approach to integrating multiple assurance processes that may include internal audit, compliance, operational risk management, and incident risk management.

A

Governance, risk, and compliance (GRC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

process of pre-planning, scheduling, and allocating the limited IT resources to maximize efficiency in achieving enterprise objectives

A

IT resource management

22
Q

what are some of the financial benefits of IT investment?

A

cost reductions and revenue increases

23
Q

what are some of the NON-financial benefits of IT investment?

A

operations and mission performance (e.g., improved customer satisfaction, better information, shorter cycle times)

24
Q

Process for determining if the organization is pursuing the best IT-related projects to achieve enterprise goals

A

IT Portfolio management

25
what are the steps needed to be taken when implementing IT portfolio management?
standardize terminology, ensure management commitment, agree on targets, plan portfolio management, specifiy criteria, define roles, organize tools and support
26
strategy for determining which sourcing approach each IT function can use to meet the organizational needs
sourcing strategy
27
what are some of the possible disadvantages of outsourcing?
costs exceeding expectation loss of internal IT experience loss of IT control vendor failure difficulty in reversing agreements contract term issues lack of loyalty customer dissatisfaction loss/leakage of data
28
What must an organization do when implementing cloud services in terms of governance and management of IT?
ensure IT remains aligned with the business, continue to meet objectives, security is in place, and risks are managed
29
Policies should be modified (or developed) to address the process of sourcing and managing/continuing cloud services.
TRUE
30
An organization should retain visibility into security activities of cloud (e.g., change management, vulnerability reporting, etc.)
TRUE
31
What should the primary objectives be of a an outsourcing governance process?
ensure continuity of service, profitability, and added value to
32
what are some responsibilities that should be defined in a outsourcing governance process?
-ensuring contract viability through review - governance schedules - relationship management - allocation resources - continuously evaluate performance
33
Governance should be preplanned and included as part of all outsourcing contracts.
TRUE
34
What is a critical for an IS auditor to identify when reviewing outsourcing contracts?
Right-to-audit clauses (e.g., if they can be audit, what can be audited, SLAs related to requests)
35
what are the three steps for developing a performance metric?
- establishing critical processes to meet requirements - identifying specific, quantifiable outputs of work from processes - establishing targets against which results can be scored
36
what are areas that IS auditors should confirm performance metrics cover?
business contribution; performance vs. strategic goals; GRC with regulations; user satisfaction; key IT processes; future activities
37
the process of both improving perceived service performance and improving information system productivity to the highest level possible without unnecessary additional investment in the IT infrastructure
performance optimization
38
what are the two critical success factors that enable performance optimization
- approval of goals by stakeholders - acceptance of accountability for achievement of goals by management
39
the performance optimization methodology using an iterative, four-step process used for the control and continuous improvement of processes
PDCA (plan, do, check, act)
40
in PDCA, what does the "P" stand for?
Plan - establishing objectives and processes to deliver results
41
in PDCA, what does the "D" stand for?
Do - implement the plan
42
in PDCA, what does the "C" stand for?
Check - study the results and compare against expected results
43
in PDCA, what does the "A" stand for?
Act - request corrective actions on significant differences from actual and expected results
44
Technique of performance optimization that is a data-driven process analysis approach. It uses measurement-oriented strategies focused on improvement and defect reduction, where a "defect" is anything outside of expectation
Six Sigma
45
What is the main difference between the Six Sigma and Lean Six Sigma?
Lean six sigma eliminates unnecessary steps that dont add value
46
This is a process management evaluation technique that, in addition to traditional evaluations (e.g., financials), includes measures with customer satisfaction, internal processes, and the organizations ability to innovate.
IT Balanced Scorecard (IT BSC)
47
The thorough analysis and significant redesign of business processes and management systems to establish better performing, more responsive processes
business process reengineering (BPR)
48
What are the four perspectives of an effective IT BSC?
Mission (goal), Strategies (ways to achieve), Measures (ways to monitor), and Sources (whose responsible)
49
the planned and systematic pattern of all actions necessary to provide adequate confidence that an item or product conforms to established technical requirements; this ensures IT personnel are following prescribed procedures
Quality assurance (QA)
50
observation techniques and activities used to fulfill requirements for quality, such as conducting test to verify products are free of defects and meet requirements.
Quality control (QC)
51