Domain 2 Flashcards
BCP testing
After a tabletop exercise has been performed, the next step would be a functional test, which includes the mobilization of staff to exercise the administrative and organizational functions of a recovery.
tabletop testing
the primary purpose of tabletop testing is to practice proper coordination because it involves all or some of the crisis team members and is focused more on coordination and communication issues than on technical process details.
Functional testing
Functional testing involves mobilization of personnel and resources at various geographic sites. This is a more in-depth functional test and not primarily focused on coordination and communication.
A paper test
A paper test (sometimes called a deskcheck) is appropriate for testing a BCP. It is a walk-through of the entire BCP, or part of the BCP, involving major players in the BCP’s execution who reason out what may happen in a particular disaster.
IT balanced scorecard (BSC)
Because a BSC is a way to measure performance, a definition of key performance indicators is required before implementing an IT BSC. An IT balanced scorecard (BSC) provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the ability to innovate.
IS auditor interviews key stakeholders in an organization to determine whether they understand their roles and responsibilities
The IS auditor should interview key stakeholders to evaluate how well they understand their roles and responsibilities. When all stakeholders have a detailed understanding of their roles and responsibilities in the event of a disaster, an IS auditor can deem the business continuity plan to be clear and simple
capability maturity model (CMM)
predictable software processes are followed.
quality management system (QMS)
Continuous and measurable improvement of quality is the primary requirement to achieve the business objective for the quality management system (QMS).
effectiveness of the business continuity plan.
Previous test results will provide evidence of the effectiveness of the business continuity plan.
After completing the business impact analysis (BIA), what is the NEXT step in the business continuity planning (BCP) process
Once the business impact analysis (BIA) is completed, the next phase in the BCP development is to identify the various recovery strategies and select the most appropriate strategy for recovering from a disaster that will meet the time lines and priorities defined through the BIA.
transparency
Performance measurement includes setting and monitoring measurable objectives of what the IT processes need to deliver (process outcome) and how they deliver it (process capability and performance).
preparedness test
A preparedness test is performed by each local office/area to test the adequacy of the preparedness of local operations for disaster recovery.
IT performance measurement process
An IT performance measurement process can be used to optimize performance, measure and manage products/services, assure accountability and make budget decision
highest level of the software capability maturity model (CMM
A. An organization would have reached the highest level of the software capability maturity model (CMM) at level 5, optimizing- Continuous Improvement
B. Quantitative quality goals can be reached at level 4 and below.
C. A documented process is executed at level 3 and below.
D. A process tailored to specific projects can be achieved at level 2 or below.
software quality management process
Because an audit measures compliance with the standards of the organization, the first step of the review of the software quality management process should be to determine the evaluation criteria in the form of standards adopted by the organization. The evaluation of how well the organization follows their own standards cannot be performed until the IS auditor has determined what standards exist.
BCP should be based on?
duration of outage
What drives Information Security Policy?
Business objectives drive the information security policy, and the information security policy drives the selection of IT department objectives. A policy driven by IT objectives is at risk of not being aligned with business goals.
Define Policy
First Step- Defining a security policy for information and related technology is the first step toward building a security architecture. A security policy communicates a coherent security standard to users, management and technical staff. Security policies will often set the stage in terms of what tools and procedures are needed for an organization.
effectiveness of an IT governance implementation
stakeholder requirements and involvement
IT governance framework
senior management must be involved and aware of roles and responsibilities
IT STEERING Committee
Reports to board of directors
IT Governance
Organizational Strategies
governance of IT
board of directors.
primary risk of business process reengineering (BPR)
A primary risk of business process reengineering (BPR) is that controls are eliminated as part of the reengineering effort. This would be the primary concern.
Strategic vs. IT Short Range
The integration of IT and business personnel in projects is an operational issue and should be considered while reviewing the short-range plan. A strategic plan would provide a framework for the IT short-range plan.
Strategic Plan
B. A clear definition of the IT mission and vision would be covered by a strategic plan.
C. A strategic information technology planning scorecard would be covered by a strategic plan.
D. Business objectives correlating to IT goals and objectives would be covered by a strategic plan.
adequacy of an organization’s security awareness program
Job descriptions contain clear statements of accountability for information security.
Strategic plans
Involvement of senior management
investment portfolio analysis
It is most desirable to conduct an investment portfolio analysis, which will present not only a clear focus on investment strategy, but will provide the rationale for terminating nonperforming IT projects.