Domain 2: Governance and Management of IT Part 2A

Question 1

After an organization completed a threat and vulnerability analysis as part of a risk assessment, the final report suggested that an intrusion prevention system (IPS) should be installed at the main Internet gateways and that all business units should be separated via a proxy firewall. Which of the following is the BEST method to determine whether the controls should be implemented?

Answer 1

A cost-benefit analysis

Question 2

After the merger of two organizations, multiple self-developed legacy applications from both organizations are to be replaced by a new common platform. Which of the following is the GREATEST risk?

Answer 2

The replacement effort consists of several independent projects without integrating the resource allocation in a portfolio management approach.

Question 3

As a driver of IT governance, transparency of IT’s cost, value and risk is primarily achieved through:

Answer 3

performance measurement.

Question 4

As an outcome of information security governance, strategic alignment provides:

Answer 4

security requirements driven by enterprise requirements.

Question 5

As result of profitability pressure, senior management of an enterprise decided to keep investments in information security at an inadequate level, which of the following is the BEST recommendation of an IS auditor?

Answer 5

Request that senior management accept the risk.

Question 6

Assessing IT risk is BEST achieved by:

Answer 6

evaluating threats and vulnerabilities associated with existing IT assets and IT projects.

Question 7

A benefit of open system architecture is that it:

Answer 7

facilitates interoperability within different systems.

Question 8

A business unit has selected a new accounting application and did not consult with IT early in the selection process. The PRIMARY risk is that:

Answer 8

the application technology may be inconsistent with the enterprise architecture.

Question 9

By evaluating application development projects against the capability maturity model (CMM), an IS auditor should be able to verify that:

Answer 9

predictable software processes are followed.

Question 10

A comprehensive and effective email policy should address the issues of email structure, policy enforcement, monitoring and:

Answer 10

retention.

Question 11

Corporate IT policy for a call center requires that all users be assigned unique user accounts. On discovering that this is not the case for all current users, what is the MOST appropriate recommendation?

Answer 11

Implement individual user accounts for all staff.

Question 12

During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization’s operational risk documentation only contains a few broadly described types of IT risk. What is the MOST appropriate recommendation in this situation?

Answer 12

Establish regular IT risk management meetings to identify and assess risk and create a mitigation plan as input to the organization’s risk management.

Question 13

During an audit, the IS auditor discovers that the human resources (HR) department uses a cloud-based application to manage employee records. The HR department engaged in a contract outside of the normal vendor management process and manages the application on its own. Which of the following is of GREATEST concern?

Answer 13

During an audit, the IS auditor discovers that the human resources (HR) department uses a cloud-based application to manage employee records. The HR department engaged in a contract outside of the normal vendor management process and manages the application on its own. Which of the following is of GREATEST concern?

Question 14

Effective IT governance ensures that the IT plan is consistent with the organization’s:

Answer 14

business plan.

Question 15

Effective IT governance requires organizational structures and processes to ensure that:

Answer 15

the IT strategy extends the organization’s strategies and objectives.

Question 16

An enterprise’s risk appetite is BEST established by:

Answer 16

the steering committee.

Question 17

Errors in audit procedures PRIMARILY impact which of the following risk types?

Answer 17

Detection risk

Question 18

Establishing the level of acceptable risk is the responsibility of:

Answer 18

senior business management.

Question 19

A financial enterprise has had difficulties establishing clear responsibilities between its IT strategy committee and its IT steering committee. Which of the following responsibilities would MOST likely be assigned to its IT steering committee?

Answer 19

Approving IT project plans and budgets

Question 20

A financial services enterprise has a small IT department, and individuals perform more than one role. Which of the following practices represents the GREATEST risk?

Answer 20

The developers promote code into the production environment.

Question 21

Forahealthcareorganization,whichone of the following reasons MOST likely indicates that the patient benefit data warehouse should remain in-house rather than be outsourced to an offshore operation?

Answer 21

Thereare regulations regarding data privacy.

Question 22

From a control perspective, the key element in job descriptions is that they:

Answer 22

establish responsibility and accountability for the employee’s actions.

Question 23

From an IT governance perspective, what is the PRIMARY responsibility of the board of directors? To ensure that the IT strategy:

Answer 23

is aligned with the business strategy.

Question 24

The initial step in establishing an information security program is the:

Answer 24

adoption of a corporate information security policy statement.

Question 25

In the context of effective information security governance, the primary objective of value delivery is to:

Answer 25

optimize security investments in support of business objectives.

Question 26

Involvement of senior management is MOST important in the development of:

Answer 26

strategic plans.

Question 27

An IS audit department is planning to minimize the risk of short-term employees. Activities contributing to this objective are documented procedures, knowledge sharing, cross-training and:

Answer 27

succession planning.

Question 28

An IS auditor discovers several IT- based projects were implemented and not approved by the steering committee. What is the GREATEST concern for the IS auditor?

Answer 28

The IT department may not be working toward a common goal.

Question 29

An IS auditor finds that not all employees are aware of the enterprise’s information security policy. The IS auditor should conclude that:

Answer 29

this lack of knowledge may lead to unintentional disclosure of sensitive information.

Question 30

An IS auditor found that the enterprise architecture (EA) recently adopted by an organization has an adequate current-state representation. However, the organization has started a separate project to develop a future-state representation. The IS auditor should:

Answer 30

report this issue as a finding in the audit report.

Question 31

An IS auditor has been assigned to review an organization’s information security policy. Which of the following issues represents the HIGHEST potential risk?

Answer 31

The policy is approved by the security administrator.

Question 32

An IS auditor identifies that reports on product profitability produced by an organization’s finance and marketing departments give different results. Further investigation reveals that the product definition being used by the two departments is different. What should the IS auditor recommend?

Answer 32

Organizational data governance practices are put in place

Question 33

An IS auditor is evaluating a newly developed IT policy for an organization. Which of the following factors does the IS auditor consider MOST important to facilitate compliance with the policy upon its implementation?

Answer 33

Existing IT mechanisms enabling compliance

Question 34

An IS auditor is evaluating management’s risk assessment of information systems. The IS auditor should FIRST review:

Answer 34

threats/vulnerabilities affecting the assets.

Question 35

An IS auditor is evaluating the IT governance framework of an organization. Which of the following is the GREATEST concern?

Answer 35

Senior management has limited involvement.

Question 36

An IS auditor is performing a review of an organization’s governance model. Which of the following should be of MOST concern to the auditor?

Answer 36

The information security policy is not periodically reviewed by senior management.

Question 37

An IS auditor is performing a review of the software quality management process in an organization. The FIRST step should be to:

Answer 37

request all standards adopted by the organization.

Question 38

An IS auditor is reviewing an IT security risk management program. Measures of security risk should:

Answer 38

consider the entire IT environment.

Question 39

An IS auditor is reviewing the risk management process. Which of the following is the MOST important consideration during this review?

Answer 39

IT risk is presented in business terms.

Question 40

An IS auditor is verifying IT policies and finds that some of the policies have not been approved by management (as required by policy), but the employees strictly follow the policies. What should the IS auditor do FIRST?

Answer 40

Report the absence of documented approval.

Question 41

An IS auditor of a large organization is reviewing the roles and responsibilities of the IT function and finds some individuals serving multiple roles. Which one of the following combinations of roles should be of GREATEST concern for the IS auditor?

Answer 41

System administrators are application programmers.

Question 42

An IS auditor reviewing the IT organization is MOST concerned if the IT steering committee:

Answer 42

is responsible for determining business goals.

Question 43

An IS auditor reviews an organizational chart PRIMARILY for:

Answer 43

understanding the responsibilities and authority of individuals.

Question 44

An IS auditor was hired to review e- business security. The IS auditor’s first task was to examine each existing e-business application, looking for vulnerabilities. What is the next task?

Answer 44

Identify threats and the likelihood of occurrence.

Question 45

IS control objectives are useful to IS auditors because they provide the basis for understanding the:

Answer 45

desired result or purpose of implementing specific control procedures.

Question 46

IT governance is PRIMARILY the responsibility of the:

Answer 46

board of directors.

Question 47

An IT steering committee should:

Answer 47

maintain minutes of its meetings and keep the board of directors informed.

Question 48

A local area network (LAN) administrator normally is restricted from:

Answer 48

having programming responsibilities.

Question 49

The MOST important element for the effective design of an information security policy is the:

Answer 49

enterprise risk appetite.

Question 50

The MOST important point of consideration for an IS auditor while reviewing an enterprise’s project portfolio is that it:

Answer 50

is aligned with the business plan.

Question 51

The MOST likely effect of the lack of senior management commitment to IT strategic planning is:

Answer 51

technology not aligning with organization objectives.

Question 52

On which of the following factors should an IS auditor PRIMARILY focus when determining the appropriate level of protection for an information asset?

Answer 52

Results of a risk assessment

Question 53

An organization has a well-established risk management process. Which of the following risk management practices would MOST likely expose the organization to the greatest amount of compliance risk?

Answer 53

Risk transfer

Question 54

An organization is considering making a major investment in upgrading technology. Which of the following choices is the MOST important to consider?

Answer 54

A risk analysis

Question 55

The output of the risk management process is an input for making;

Answer 55

security policy decisions.

Question 56

Overall quantitative business risk for a particular threat can be expressed as:

Answer 56

a product of the likelihood and magnitude of the impact if a threat successfully exploits a vulnerability.

Question 57

A poor choice of passwords and unencrypted data transmissions over unprotected communications lines are examples of:

Answer 57

vulnerabilities.

Question 58

The PRIMARY benefit of implementing a security program as part of a security governance framework is the:

Answer 58

enforcement of the management of security risk.

Question 59

The PRIMARY objective of implementing corporate governance is to:

Answer 59

provide strategic direction.

Question 60

The rate of change in technology increases the importance of:

Answer 60

implementing and enforcing sound processes.

Question 61

Responsibility for the governance of IT should rest with the:

Answer 61

board of directors.

Question 62

The risk associated with electronic evidence gathering is MOST likely reduced by an email:

Answer 62

archive policy.

Question 63

Sharing risk is a key factor in which of the following methods of managing risk?

Answer 63

Transferring risk

Question 64

A small organization has only one database administrator (DBA) and one system administrator. The DBA has root access to the UNIX server, which hosts the database application. How should segregation of duties be enforced in this scenario?

Answer 64

Ensure that database logs are forwarded to a UNIX server where the DBA does not have root access.

Question 65

A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential impact, the team should:

Answer 65

apply a qualitative approach.

Question 66

To address the risk of operations staff’s failure to perform the daily backup, management requires that the systems administrator sign off on the daily backup. This is an example of risk:

Answer 66

mitigation.

Question 67

To aid management in achieving IT and business alignment, an IS auditor should recommend the use of:

Answer 67

an IT balanced scorecard.

Question 68

To gain an understanding of the effectiveness of an organization’s planning and management of investments in IT assets, an IS auditor should review the:

Answer 68

IT balanced scorecard.

Question 69

A top-down approach to the development of operational policies helps to ensure:

Answer 69

that they are consistent across the organization.

Question 70

The ultimate purpose of IT governance is to:

Answer 70

encourage optimal use of IT.

Question 71

What is the PRIMARY consideration for an IS auditor reviewing the prioritization and coordination of IT projects and program management?

Answer 71

Projects are aligned with the organization’s strategy.

Question 72

When auditing the IT governance framework and IT risk management practices that exist within an organization, the IS auditor identified some undefined responsibilities regarding IT management and governance roles. Which of the following recommendations is the MOST appropriate?

Answer 72

Implement accountability rules within the organization.

Question 73

When developing a formal enterprise security program, the MOST critical success factor is the:

Answer 73

effective support of an executive sponsor.

Question 74

When developing a security architecture, which of the following steps should be executed FIRST?

Answer 74

Defining a security policy

Question 75

When implementing an IT governance framework in an organization the MOST important objective is:

Answer 75

IT alignment with the business.

Question 76

When performing a review of a business process reengineering (BPR) effort, which of the following is of PRIMARY concern?

Answer 76

Controls are eliminated as part of the streamlining BPR effort.

Question 77

When reviewing an organization’s strategic IT plan, an IS auditor should expect to find:

Answer 77

an assessment of the fit of the organization’s application portfolio with business objectives.

Question 78

When reviewing the development of information security policies, the PRIMARY focus of an IS auditor should be on assuring that these policies:

Answer 78

strike a balance between business and security requirements.

Question 79

When reviewing the IT strategic planning process, an IS auditor should ensure that the plan:

Answer 79

articulates the IT mission and vision.

Question 80

When reviewing the IT strategy, an IS auditor can BEST assess whether the strategy supports the organizations’ business objectives by determining whether IT:

Answer 80

plans are consistent with management strategy.

Question 81

When segregation of duties concerns exist between IT support staff and end users, what would be a suitable compensating control?

Answer 81

Reviewing transaction and application logs

Question 82

Which of the following BEST supports the prioritization of new IT projects?

Answer 82

Investment portfolio analysis

Question 83

Which of the following choices is the PRIMARY benefit of requiring a steering committee to oversee IT investment?

Answer 83

To ensure that investments are made according to business requirements

Question 84

Which of the following does a lack of adequate security controls represent?

Answer 84

Vulnerability

Question 85

Which of the following does an IS auditor consider to be MOST important when evaluating an organization’s IT strategy? That it:

Answer 85

supports the business objectives of the organization.

Question 86

Which of the following factors is MOST critical when evaluating the effectiveness of an IT governance implementation?

Answer 86

Determine stakeholder requirements and involvement.

Question 87

Which of the following inputs adds the MOST value to the strategic IT initiative decision-making process?

Answer 87

The IT project portfolio analysis

Question 88

Which of the following insurance types provide for a loss arising from fraudulent acts by employees?

Answer 88

Fidelity coverage

Question 89

Which of the following is a function of an IT steering committee?

Answer 89

Approving and monitoring the status of IT plans and budgets

Question 90

Which of the following is an implementation risk within the process of decision support systems?

Answer 90

Inability to specify purpose and usage patterns

Question 91

Which of the following is MOST critical for the successful implementation and maintenance of a security policy?

Answer 91

Assimilation of the framework and intent of a written security policy by all appropriate parties

Question 92

Which of the following is MOST important to consider when reviewing the classification levels of information assets?

Answer 92

Potential loss

Question 93

Which of the following is normally a responsibility of the chief information security officer?

Answer 93

Periodically reviewing and evaluating the security policy

Question 94

Which of the following is of MOST interest to an IS auditor reviewing an organization’s risk strategy?

Answer 94

All likely risk is identified and ranked.

Question 95

Which of the following is responsible for the approval of an information security policy?

Answer 95

Board of directors

Question 96

Which of the following is the BEST enabler for strategic alignment between business and IT?

Answer 96

Goals and metrics

Question 97

Which of the following is the BEST reason to implement a policy that places conditions on secondary employment for IT employees?

Answer 97

To prevent conflicts of interest

Question 98

Which of the following is the BEST way to ensure that organizational policies comply with legal requirements?

Answer 98

Periodic review by subject matter experts

Question 99

Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems?

Answer 99

Unauthorized users may have access to modify data.

Question 100

Which of the following is the initial step in creating a firewall policy?

Answer 100

Identification of network applications to be externally accessed

Question 101

Which of the following is the MOST important element for the successful implementation of IT governance?

Answer 101

Identifying organizational strategies

Question 102

Which of the following IT governance good practices improves strategic alignment?

Answer 102

Top management mediates between the imperatives of business and technology.

Question 103

Which of the following MOST likely indicates that a customer data warehouse should remain in-house rather than be outsourced to an offshore operation?

Answer 103

Privacy laws can prevent cross-border flow of information.

Question 104

Which of the following should an IS auditor recommend to BEST enforce alignment of an IT project portfolio with strategic organizational priorities?

Answer 104

Select projects according to business benefits and risk.

Question 105

Which of the following should be considered FIRST when implementing a risk management program?

Answer 105

An understanding of the organization’s threat, vulnerability and risk profile

Question 106

Which of the following should be included in an organization’s information security policy?

Answer 106

The basis for access control authorization

Question 107

Which of the following should be of GREATEST concern to an IS auditor when reviewing an information
security policy? The policy:

Answer 107

is driven by an IT department’s objectives.

Question 108

Which of the following should be the MOST important consideration when deciding on areas of priority for IT governance implementations?

Answer 108

Business risk

Question 109

Which of the following user profiles should be of MOST concern to an IS auditor when performing an audit of an electronic funds transfer (EFT) system?

Answer 109

Three users with the ability to capture and verify their own messages

Question 110

While reviewing the IT governance processes of an organization, an IS auditor discovers the firm has recently implemented an IT balanced scorecard (BSC). The implementation is complete; however, the IS auditor notices that performance indicators are not objectively measurable. What is the PRIMARY risk presented by this situation?

Answer 110

Misleading indications of IT performance may be presented to management.