Domain 2: Governance and Management of IT Flashcards
For management to effectively monitor the compliance of processes and applications, what would be the MOST ideal?
dashboard
Which of the following would be included in an information systems (IS) strategic plan?
Analysis of future business objectives
What BEST describes an IT department’s strategic planning process?
Long-range planning for the IT department should recognize enterprise goals, technological advances and regulatory requirements
What is the MOST important responsibility of a data security officer in an enterprise?
recommending and monitoring data security policies
What is considered the MOST critical element for successfully implementing an information security program?
senior management commitment
An IS auditor should ensure that IT governance performance measures:
evaluate the activities of IT oversight committees
Which tasks may be performed by the same person in a well-controlled information processing computer center?
system development and system maintenance
What is the MOST critical control over database administration?
separation of duties regarding access rights (granting/revoking)
When complete separation of duties cannot be achieved in an online system environment, what function should be separated from the others?
authorization
In a small enterprise, where separation of duties is not practical, an employee performs the functions of computer operator and application programmer. What control(s) should the IS auditor recommend?
Procedures that verify that only approved program changes are implemented
Which of the following is the MOST important information systems (IS) audit consideration when an organization outsources a customer credit review system to a third-party service provider? The provider:
A.claims to meet or exceed industry security standards.
B.agrees to be subject to external security reviews.
C.has a good market reputation for service and experience.
D.complies with security policies of the organization.
B. An independent security review of an outsourcing vendor is critical because customer credit information will be kept with the vendor.
Which of the following inputs adds the MOST value to the strategic IT initiative decision-making process?
A.Maturity of the project management process
B.Regulatory environment
C.Past audit findings
D.IT project portfolio analysis
D. Portfolio analysis provides the best input into the decision-making process relating to planning strategic IT initiatives. An analysis of the IT portfolio provides comparable information of planned initiatives, projects and ongoing IT services, which allows the IT strategy to be aligned with the business strategy.
An information systems (IS) auditor finds that not all employees are aware of the enterprise’s information security policy. The IS auditor should conclude that:
A.this lack of knowledge may lead to unintentional disclosure of sensitive information.
B.information security is not critical to all functions.
C.IS audit should provide security training to the employees.
D.the audit finding will cause management to provide continuous training to staff.
A. All employees should be aware of the enterprise’s information security policy to prevent unintentional disclosure of sensitive information. Training is a preventive control. Security awareness programs for employees can prevent unintentional disclosure of sensitive information to outsiders.
Which of the following is the MOST important element for the successful implementation of IT governance?
A.Implementing an IT scorecard
B.Identifying organizational strategies
C.Performing a risk assessment
D.Creating a formal security policy
B. The key objective of an IT governance program is to support the business; therefore, the identification of organizational strategies is necessary to ensure alignment between IT and corporate governance. Without identification of organizational strategies, the remaining choices—even if implemented—would be ineffective.
The PRIMARY control purpose of required vacations or job rotations is to:
A.allow cross-training for development.
B.help preserve employee morale.
C.detect improper or illegal employee acts.
D.provide a competitive employee benefit.
C. The practice of having another individual perform a job function is a control used to detect possible irregularities or fraud.
During a feasibility study regarding outsourcing IT processing, the relevance for the information systems (IS) auditor of reviewing the vendor’s business continuity plan is to:
A.evaluate the adequacy of the service levels that the vendor can provide in a contingency.
B.evaluate the financial stability of the service bureau and its ability to fulfill the contract.
C.review the experience of the vendor’s staff.
D.test the business continuity plan.
A. A key factor in a successful outsourcing environment is the capability of the vendor to face a contingency and continue to support the organization’s processing requirements.
During an audit, the information systems (IS) auditor observed that a user can log in to post a transaction and then change role to authorize the same. Which of the following is the BEST course of action for the IS auditor?
A.Ask the system administrator to suspend the user’s access.
B.Check for suitable compensating controls.
C.Ask the database administrator to merge the two roles into a single role.
D.Record the finding in the audit report.
B. If a violation of segregation/separation of duties (SoD) is observed, the IS auditor should first look for compensating controls before concluding the findings.
Which of the following IT governance good practices improves strategic alignment?
A.Supplier and partner risk is managed.
B.A knowledge base of customers, products, markets and processes is in place.
C.A structure is provided that facilitates the creation and sharing of business information.
D.Top management mediates between the imperatives of business and technology.
D. Top management mediating between the imperatives of business and technology is an IT strategic alignment good practice.
Which of the following is responsible for the approval of an information security policy?
A.IT department
B.Security committee
C.Security administrator
D.Board of directors
D. Normally, the approval of an information systems security policy is the responsibility of top management or the board of directors.
A decision support system (DSS) is used to help high-level management:
A.solve highly structured problems.
B.combine the use of decision models with predetermined criteria.
C.make decisions based on data analysis and interactive models.
D.support only structured decision-making tasks.
C. A DSS emphasizes flexibility in the decision-making approach of management through data analysis and the use of interactive models, not fixed criteria.
To gain an understanding of the effectiveness of an organization’s planning and management of investments in IT assets, an information systems (IS) auditor should review the:
A.enterprise data model.
B.IT balanced scorecard (BSC).
C.IT organizational structure.
D.historical financial statements.
B. The IT balanced scorecard (BSC) is a tool that provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the ability to innovate. In this way, the auditor can measure the success of the IT investment and strategy.
Which of the following situations is addressed by a software escrow agreement?
A.The system administrator requires access to software to recover from a disaster.
B.A user requests to have software reloaded onto a replacement hard drive.
C.The vendor of custom-written software goes out of business.
D.An information systems (IS) auditor requires access to software code written by the organization.
C. A software escrow is a legal agreement between a software vendor and a customer to guarantee access to source code. The application source code is held by a trusted third party, according to the contract. This agreement is necessary in the event that the software vendor goes out of business, there is a contractual dispute with the customer or the software vendor fails to maintain an update of the software as promised in the software license agreement.
Which of the following is MOST important to consider when reviewing the classification levels of information assets?
A.Potential loss
B.Financial cost
C.Potential threats
D.Cost of insurance
A. The best basis for asset classification is an understanding of the total losses that a business may incur if the asset is compromised. Typically, estimating these losses requires a review of criticality and sensitivity beyond financial cost, such as operational and strategic.
During an audit, the information systems (IS) auditor discovers that the HR department uses a cloud-based application to manage employee records. The HR department engaged in a contract outside of the normal vendor management process and manages the application on its own. Which of the following is of GREATEST concern?
A.Maximum acceptable downtime metrics have not been defined in the contract.
B.The IT department does not manage the relationship with the cloud vendor.
C.The help desk call center is in a different country, with different privacy requirements.
D.Organization-defined security policies are not applied to the cloud application.
D. Cloud applications should adhere to the organization-defined security policies to ensure that the data in the cloud are protected in a manner consistent with internal applications. These include, but are not limited to, the password policy, user access management policy and data classification policy.
Involvement of senior management is MOST important in the development of:
A.strategic plans.
B.IT policies.
C.IT procedures.
D.standards and guidelines.
A. Strategic plans provide the basis for ensuring that the enterprise meets its goals and objectives. Involvement of senior management is critical to ensuring that the plan adequately addresses the established goals and objectives.
An enterprise is looking to obtain cloud hosting services from a cloud vendor with a high level of maturity. Which of the following is MOST important for the auditor to ensure continued alignment with the enterprise’s security requirements?
A.The vendor provides the latest third-party audit report for verification.
B.The vendor provides the latest internal audit report for verification.
C.The vendor agrees to implement controls in alignment with the enterprise.
D.The vendor agrees to provide annual external audit reports in the contract.
D. The only way to ensure that any potential risk is mitigated today and in the future is to include a clause within the contract that the vendor will provide future external audit reports. Without the audit clause, the vendor can choose to forego future audits.
The risk associated with electronic evidence gathering is MOST likely reduced by an email:
A.destruction policy.
B.security policy.
C.archive policy.
D.audit policy.
C. With a policy requiring well-archived email records, access to or retrieval of specific email records to comply with legal requirements is possible.
Due to profitability pressure, senior management of an enterprise decided to keep investments in information security at an inadequate level. Which of the following is the BEST recommendation for an information systems (IS) auditor?
A.Use cloud providers for low-risk operations.
B.Revise compliance enforcement processes.
C.Request that senior management accept the risk.
D.Postpone low-priority security procedures.
C. Senior management determines resource allocations. Having established that the level of security is inadequate, it is imperative that senior management accept the risk resulting from their decisions.
Information systems (IS) control objectives are useful to IS auditors because they provide the basis for understanding the:
A.desired result or purpose of implementing specific control procedures.
B.best information systems (IS) security control practices relevant to a specific entity.
C.techniques for securing information.
D.security policy.
Justification
A. An information systems (IS) control objective is defined as the statement of the desired result or purpose to be achieved by implementing control procedures in a particular IS activity.
A poor choice of passwords and unencrypted data transmissions over unprotected communications lines are examples of:
A.vulnerabilities.
B.threats.
C.probabilities.
D.impacts.
A. Vulnerabilities represent weaknesses of information resources that may be exploited by a threat. Because these are weaknesses that can be addressed by the security specialist, they are examples of vulnerabilities.
Which of the following factors is MOST critical when evaluating the effectiveness of an IT governance implementation?
A.Ensure that assurance objectives are defined.
B.Determine stakeholder requirements and involvement.
C.Identify relevant risk and related opportunities.
D.Determine relevant enablers and their applicability.
B. The most critical factor to be considered in auditing an IT governance implementation is to determine stakeholder requirements and involvement. This drives the success of the project. Based on this, the assurance scope and objectives are determined.
An enterprise hosts its data center onsite and has outsourced the management of its key financial applications to a service provider. Which of the following controls BEST ensures that the service provider’s employees adhere to the security policies?
A.Sign-off is required on the enterprise’s security policies for all users.
B.An indemnity clause is included in the contract with the service provider.
C.Mandatory security awareness training is implemented for all users.
D.Security policies should be modified to address compliance by third-party users.
B. Having the service provider sign an indemnity clause ensures compliance with the enterprise’s security policies, because any violations discovered will lead to a financial liability for the service provider. This will also prompt the enterprise to monitor security violations closely.
What is the PRIMARY consideration for an information systems (IS) auditor reviewing the prioritization and coordination of IT projects and program management?
A.Projects are aligned with the organization’s strategy.
B.Identified project risk is monitored and mitigated.
C.Controls related to project planning and budgeting are appropriate.
D.IT project metrics are reported accurately.
A. The primary goal of IT projects is to add value to the business, so they must be aligned with the business strategy to achieve the intended results. Therefore, the information systems (IS) auditor should first focus on ensuring this alignment.
Before implementing an IT balanced scorecard, an organization must:
A.deliver effective and efficient services.
B.define key performance indicators.
C.provide business value to IT projects.
D.control IT expenses.
B. Because a BSC is a way to measure performance, a definition of key performance indicators is required before implementing an IT BSC.
Enterprise governance of IT frameworks has been developed MAINLY to help an organization’s leaders:
A.use resources responsibly and manage information systems risk.
B.realize benefits and manage the performance of practices and processes.
C.deliver value to stakeholders and preserve the value created.
D.establish accountability and manage information security risk.
C. Enterprise governance of IT frameworks help an organization’s leaders to deliver value to stakeholders by using resources responsibly, realizing value delivered, establishing roles and responsibilities, preserving value through information risk management, and maintaining the required levels of performance.
Which of the following MOST likely indicates that a customer data warehouse should remain in-house rather than be outsourced to an offshore operation?
A.Time-zone differences can impede communications between IT teams.
B.Telecommunications cost can be much higher in the first year.
C.Privacy laws can prevent cross-border flow of information.
D.Software development may require more detailed specifications.
C. Privacy laws prohibiting the cross-border flow of personally identifiable information make it impossible to locate a data warehouse containing customer information in another country.
Which of the following is expected to approve the audit charter?
A.Chief financial officer
B.CEO
C.Audit steering committee
D.Audit committee
D. One of the primary functions of the audit committee is to create and approve the audit charter.
A benefit of open system architecture is that it:
A.facilitates interoperability within different systems.
B.facilitates the integration of proprietary components.
C.is a basis for volume discounts from equipment vendors.
D.allows for the achievement of more economies of scale for equipment.
A. Open systems are those for which suppliers provide components whose interfaces are defined by public standards, thus facilitating interoperability between systems made by different vendors.
Many organizations require an employee to take a mandatory vacation (holiday) of a week or more to:
A.ensure that the employee maintains a good quality of life, which will lead to greater productivity.
B.reduce the opportunity for an employee to commit an improper or illegal act.
C.provide proper cross-training for another employee.
D.eliminate the potential disruption caused when an employee takes vacation one day at a time.
B. Required vacations/holidays of a week or more in duration in which someone other than the regular employee performs the job function of the employee on vacation is often mandatory for sensitive positions because this reduces the opportunity to commit improper or illegal acts. During this time off, it may be possible to discover any fraudulent activity that was taking place.
A team conducting a risk analysis is having difficulty projecting the financial losses that can result from a risk. To evaluate the potential impact, the team should:
A.compute the amortization of the related assets.
B.calculate a return on investment (ROI).
C.apply a qualitative approach.
D.spend the time needed to define the loss amount exactly.
C. The common practice when it is difficult to calculate the financial losses is to take a qualitative approach, in which the manager affected by the risk defines the impact in terms of a weighted factor (e.g., one is a very low impact to the business and five is a very high impact).
Which of the following is a function of an IT steering committee?
A.Monitoring vendor-controlled change control and testing
B.Ensuring a separation of duties within the information’s processing environment
C.Approving and monitoring the status of IT plans and budgets
D.Liaising between the IT department and end users
C. The IT steering committee typically serves as a general review board for major IT projects and should not become involved in routine operations; therefore, one of its functions is to approve and monitor major projects, such as the status of IT plans and budgets.
The MOST likely effect of the lack of senior management commitment to IT strategic planning is:
A.lack of investment in technology.
B.lack of a methodology for systems development.
C.Technology not aligning with organization objectives.
D.absence of control over technology contracts.
C. A steering committee should exist to ensure that the IT strategies support the organization’s goals. The absence of an information technology committee or a committee not composed of senior managers is an indication of a lack of top-level management commitment. This condition increases the risk that IT is not aligned with organization strategy.
Regarding the outsourcing of IT services, which of the following conditions should be of GREATEST concern to an information systems (IS) auditor?
A.Core activities that provide a differentiated advantage to the organization have been outsourced.
B.Periodic renegotiation is not specified in the outsourcing contract.
C.The outsourcing contract fails to cover every action required by the business.
D.Similar activities are outsourced to more than one vendor.
A. An organization’s core activities generally should not be outsourced because they are what the organization does best; an information systems (IS) auditor observing that condition should be concerned.
Which of the following user profiles should be of MOST concern to an information systems (IS) auditor when performing an audit of an electronic funds transfer system?
A.Three users with the ability to capture and verify their own messages
B.Five users with the ability to capture and send their own messages
C.Five users with the ability to verify other users and to send their own messages
D.Three users with the ability to capture and verify the messages of other users and to send their own messages
A. The ability of one individual to capture and verify their own messages represents an inadequate segregation because messages can be taken as correct and appear like they had already been verified. The verification of messages should not be allowed by the person who sent the message.
An information systems (IS) auditor is evaluating the IT governance framework of an organization. Which of the following is the GREATEST concern?
A.Senior management has limited involvement.
B.Return on investment (ROI) is not measured.
C.Chargeback of IT cost is not consistent.
D.Risk appetite is not quantified.
A. To ensure that the IT governance framework is effectively in place, senior management must be involved and aware of their roles and responsibilities. Therefore, it is essential to ensure the involvement of senior management when evaluating the soundness of IT governance.
An organization has outsourced its help desk activities. An information systems (IS) auditor’s GREATEST concern when reviewing the contract and associated service level agreement between the organization and vendor should be the provisions for:
A.documentation of staff background checks.
B.independent audit reports or full audit access.
C.reporting the year-to-year incremental cost reductions.
D.reporting staff turnover, development or training.
B. When the functions of an IT department are outsourced, an information systems (IS) auditor should ensure that a provision is made for independent audit reports that cover all essential areas, or that the outsourcer has full audit access.
Which of the following insurance types provide for a loss arising from fraudulent acts by employees?
A.Business interruption
B.Fidelity coverage
C.Errors and omissions
D.Extra expense
B. Fidelity insurance covers the loss arising from dishonest or fraudulent acts by employees.
A local area network (LAN) administrator normally is restricted from:
A.having end-user responsibilities.
B.reporting to the end-user manager.
C.having programming responsibilities.
D.being responsible for LAN security administration.
C. A LAN administrator should not have programming responsibilities because that can allow modification of production programs without proper separation of duties, but the LAN administrator may have end-user responsibilities.
As an outcome of information security governance, strategic alignment provides:
A.security requirements driven by enterprise requirements.
B.baseline security following good practices.
C.institutionalized and commoditized solutions.
D.an understanding of risk exposure.
A. Information security governance, when properly implemented, should provide four basic outcomes: strategic alignment, value delivery, risk management and performance measurement. Strategic alignment provides input for security requirements driven by enterprise requirements.
An information systems (IS) auditor reviewing an outsourcing contract of IT facilities expects it to define the:
A.hardware configuration.
B.access control software.
C.ownership of intellectual property (IP).
D.application development methodology.
C. The contract must specify who owns the intellectual property (IP) (i.e., information being processed and application programs). Ownership of IP is a significant cost and is a key aspect to be defined in an outsourcing contract.
A small organization has only one database administrator (DBA) and one system administrator. The DBA has root access to the UNIX server, which hosts the database application. How should separation of duties be enforced in this scenario?
A.Hire a second DBA and split the duties between the two individuals.
B.Remove the DBA’s root access on all UNIX servers.
C.Ensure that all actions of the DBA are logged and that all logs are backed up to removable media.
D.Ensure that database logs are forwarded to a UNIX server where the DBA does not have root access.
D. By creating logs that the DBA cannot erase or modify, separation of duties is enforced.
An information systems (IS) auditor reviewing an organization that uses cross-training practices should assess the risk of:
A.dependency on a single person.
B.inadequate succession planning.
C.one person knowing all parts of a system.
D.a disruption of operations.
C. Cross-training is a process of training more than one individual to perform a specific job or procedure. However, before using this approach, it is prudent to assess the risk of any person knowing all parts of a system and the related potential exposures related to abuse of privilege.
Which of the following is the BEST reference for an information systems (IS) auditor to determine a vendor’s ability to meet service level agreement requirements for a critical IT security service?
A.Compliance with the master contract
B.Agreed-on key performance indicators (KPIs)
C.Results of business continuity tests
D.Results of independent audit reports
B. Key performance indicators (KPIs) are metrics that allow for a means to measure performance. Service level agreements (SLAs) are statements related to expected service levels. For example, an Internet service provider (ISP) may guarantee that their service will be available 99.99 percent of the time.
In reviewing the IT short-range (tactical) plan, an information systems (IS) auditor should determine whether:
A.there is an integration of IT and business personnel within projects.
B.there is a clear definition of the IT mission and vision.
C.a strategic information technology planning scorecard is in place.
D.the plan correlates business objectives to IT goals and objectives.
A. The integration of IT and business personnel in projects is an operational issue and should be considered while reviewing the short-range plan. A strategic plan provides a framework for the IT short-range plan.
An information systems (IS) auditor was hired to review ebusiness security. The IS auditor’s first task was to examine each existing ebusiness application, looking for vulnerabilities. What is the IS auditor’s next task?
A.Immediately report the risk to the chief information officer and chief executive officer.
B.Examine the ebusiness application in development.
C.Identify threats and the likelihood of occurrence.
D.Check the budget available for risk management.
C. To determine the risk associated with ebusiness, an information systems (IS) auditor must identify the assets, look for vulnerabilities, and then identify the threats and the likelihood of occurrence.
Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems?
A.User management coordination does not exist.
B.Specific user accountability cannot be established.
C.Unauthorized users may have access to modify data.
D.Audit recommendations may not be implemented.
C. Without a policy defining who has the responsibility for granting access to specific systems, there is an increased risk that individuals can gain (be given) system access when they should not have authorization. The ability of unauthorized users to modify data is greater than the risk of authorized user accounts not being controlled properly.
An information systems (IS) audit department is planning to minimize the risk of short-term employees. Activities contributing to this objective are documented procedures, knowledge sharing, cross-training and:
A.succession planning.
B.staff job evaluation.
C.responsibilities definitions.
D.employee award programs.
A. Succession planning ensures that internal personnel with the potential to fill key positions in the organization are identified and developed.
On which of the following factors should an information systems (IS) auditor PRIMARILY focus when determining the appropriate level of protection for an information asset?
A.Results of a risk assessment
B.Relative value to the business
C.Results of a vulnerability assessment
D.Cost of security controls
A. The appropriate level of protection for an asset is determined based on the risk associated with the asset. The results of the risk assessment are, therefore, the primary information that the information systems (IS) auditor should review.
When reviewing an organization’s approved software product list, which of the following is the MOST important thing to verify?
A.The risk associated with the use of the products is periodically assessed.
B.The latest version of software is listed for each product.
C.Due to licensing issues, the list does not contain open-source software.
D.After-hours support is offered.
A. Because the business conditions surrounding vendors may change, it is important for an organization to conduct periodic risk assessments of the vendor software list. This may be best incorporated into the IT risk management process.
Which of the following is the BEST reason to implement a policy that places conditions on secondary employment for IT employees?
A.To prevent the misuse of corporate resources
B.To prevent conflicts of interest
C.To prevent employee performance issues
D.To prevent theft of IT assets
B. The best reason to implement and enforce a policy governing secondary employment is to prevent conflicts of interest. Policies should be in place to control IT employees seeking secondary employment from releasing sensitive information or working for a competing organization. Conflicts of interest can result in serious risk, such as fraud, theft of intellectual property or other improprieties.
Which of the following is the PRIMARY objective of an IT performance measurement process?
A.Minimize errors
B.Gather performance data
C.Establish performance baselines
D.Optimize performance
D. An IT performance measurement process can be used to optimize performance, measure and manage products/services, assure accountability, and make budget decisions.
Effective IT governance requires organizational structures and processes to ensure that:
A.risk is maintained at a level acceptable for IT management.
B.the business strategy is derived from an IT strategy.
C.IT governance is separate and distinct from overall governance.
D.the IT strategy extends the organization strategies and objectives.
D. Effective IT governance requires that board and executive management extend governance to IT and provide the leadership, organizational structures and processes that ensure that the organization IT sustains and extends the organization strategies and objectives, and that the strategy is aligned with business strategy.
Which of the following should be included in an organization’s information security policy?
A.A list of key IT resources to be secured
B.The basis for access control authorization
C.Identity of sensitive security assets
D.Relevant software security features
B. The security policy provides a broad framework of security as laid down and approved by senior management. It includes a definition of those authorized to grant access and the basis for granting the access.
An information systems (IS) auditor is assigned to review an organization’s information security policy. Which of the following issues represents the HIGHEST potential risk?
A.The policy has not been updated in more than one year.
B.The policy includes no revision history.
C.The policy is approved by the security administrator.
D.The organization does not have an information security policy committee.
C. The information security policy should have an owner who has management responsibility for the development, review, approval and evaluation of the security policy. The position of security administrator is typically a staff-level position (not management), and therefore does not have the authority to approve the policy. In addition, an individual in a more independent position should also review the policy. Without proper management approval, enforcing the policy may be problematic, leading to compliance or security issues.
The output of the risk management process is an input for making:
A.business plans.
B.audit charters.
C.security policy decisions.
D.software design decisions.
C. The risk management process is about making specific, security-related decisions, such as the level of acceptable risk.
While conducting an audit of a service provider for a government program involving confidential information, an information systems (IS) auditor noted that the service provider delegated a part of the IS work to another subcontractor. Which of the following provides the MOST assurance that the requirements for protecting confidentiality of information are met?
A.Monthly committee meetings include the subcontractor’s IS manager.
B.Management reviews weekly reports from the subcontractor.
C.Permission is obtained from the government agent regarding the contract.
D.Periodic independent audits are performed of the work delegated to the subcontractor.
D. Periodic independent audits provide reasonable assurance that the requirements for protecting confidentiality of information are not compromised.
An organization has contracted with a vendor for a turnkey solution for its electronic toll collection system (ETCS). The vendor has provided its proprietary application software as part of the solution. The contract should require that:
A.a backup server is available to run ETCS operations with up-to-date data.
B.a backup server is loaded with all relevant software and data.
C.the systems staff of the organization is trained to handle any event.
D.source code of the ETCS application is placed in escrow.
D. Whenever proprietary application software is purchased, the contract should provide for a source code escrow agreement. This agreement ensures that the purchasing organization can modify the software if the vendor ceases to be in business.
When developing a formal enterprise security program, the MOST critical success factor (CSF) is the:
A.establishment of a review board.
B.creation of a security unit.
C.effective support of an executive sponsor.
D.selection of a security process owner.
C. The executive sponsor is in charge of supporting the organization’s strategic security program and aids in directing the organization’s overall security management activities. Therefore, support by the executive level of management is the most critical success factor (CSF).
When auditing the IT governance framework and IT risk management practices existing within an enterprise, the information systems (IS) auditor identified some undefined responsibilities regarding IT management and governance roles. Which of the following recommendations is the MOST appropriate?
A.Review the strategic alignment of IT with the business.
B.Implement accountability rules within the enterprise.
C.Ensure that independent IS audits are conducted periodically.
D.Create a chief risk officer role in the enterprise.
B. IT risk is managed by embedding accountability into the enterprise. The information systems (IS) auditor should recommend the implementation of accountability rules to ensure that all responsibilities are defined within the enterprise. Note that this question asks for the best recommendation—not about the finding itself.
Which of the following is the MOST important function to be performed by IT management when a service has been outsourced?
A.Ensuring that invoices are paid to the provider
B.Participating in systems design with the provider
C.Renegotiating the provider’s fees
D.Monitoring the outsourcing provider’s performance
D. In an outsourcing environment, the enterprise is dependent on the performance of the service provider. Therefore, it is critical that the outsourcing provider’s performance is monitored to ensure that services are delivered to the enterprise as required.
Which of the following should be of GREATEST concern to an information systems (IS) auditor when reviewing an information security policy? The policy:
A.is driven by an IT department’s objectives.
B.is published, but users are not required to read the policy.
C.does not include information security procedures.
D.has not been updated in over a year.
A. Business objectives drive the information security policy, and the information security policy drives the selection of IT department objectives. A policy driven by IT objectives is at risk of not being aligned with business goals.
An information systems (IS) auditor is evaluating a newly developed IT policy for an organization. Which of the following factors does the IS auditor consider MOST important to facilitate compliance with the policy upon its implementation?
A.Existing IT mechanisms enabling compliance
B.Alignment of the policy to the business strategy
C.Current and future technology initiatives
D.Regulatory compliance objectives defined in the policy
A. The organization should be able to comply with a policy when it is implemented. The most important consideration when evaluating the new policy should be the existing mechanisms in place that enable the organization and its employees to comply with the policy.
While reviewing the IT governance processes of an organization, an information systems (IS) auditor discovers the firm has recently implemented an IT balanced scorecard (BSC). The implementation is complete; however, the IS auditor notices that performance indicators are not objectively measurable. What is the PRIMARY risk presented by this situation?
A.Key performance indicators are not reported to management and management cannot determine the effectiveness of the BSC.
B.IT projects could suffer from cost overruns.
C.Misleading indications of IT performance may be presented to management.
D.IT service level agreements may not be accurate.
C. The IT balanced scorecard is designed to measure IT performance. To measure performance, a sufficient number of performance drivers (key performance indicators [KPIs]) must be defined and measured over time. Failure to have objective KPIs may result in arbitrary, subjective measures that may be misleading and lead to unsound decisions.
An information systems (IS) auditor is verifying IT policies and finds that some of the policies have not been approved by management (as required by policy), but the employees strictly follow the policies. What should the IS auditor do FIRST?
A.Ignore the absence of management approval because employees follow the policies.
B.Recommend immediate management approval of the policies.
C.Emphasize the importance of approval to management.
D.Report the absence of documented approval.
D. The IS auditor must report the finding. Unapproved policies may present a potential risk to the organization, even if they are being followed, because this technicality may prevent management from enforcing the policies in some cases and may present legal issues. For example, if an employee was terminated as a result of violating an organizational policy, and it was discovered that the policies had not been approved, the organization may face a lawsuit.
