Domain 2: Governance and Management of IT Part 2A Flashcards
After an organization completed a threat and vulnerability analysis as part of a risk assessment, the final report suggested that an intrusion prevention system (IPS) should be installed at the main Internet gateways and that all business units should be separated via a proxy firewall. Which of the following is the BEST method to determine whether the controls should be implemented?
A cost-benefit analysis
After the merger of two organizations, multiple self-developed legacy applications from both organizations are to be replaced by a new common platform. Which of the following is the GREATEST risk?
The replacement effort consists of several independent projects without integrating the resource allocation in a portfolio management approach.
As a driver of IT governance, transparency of IT’s cost, value and risk is primarily achieved through:
performance measurement.
As an outcome of information security governance, strategic alignment provides:
security requirements driven by enterprise requirements.
As result of profitability pressure, senior management of an enterprise decided to keep investments in information security at an inadequate level, which of the following is the BEST recommendation of an IS auditor?
Request that senior management accept the risk.
Assessing IT risk is BEST achieved by:
evaluating threats and vulnerabilities associated with existing IT assets and IT projects.
A benefit of open system architecture is that it:
facilitates interoperability within different systems.
A business unit has selected a new accounting application and did not consult with IT early in the selection process. The PRIMARY risk is that:
the application technology may be inconsistent with the enterprise architecture.
By evaluating application development projects against the capability maturity model (CMM), an IS auditor should be able to verify that:
predictable software processes are followed.
A comprehensive and effective email policy should address the issues of email structure, policy enforcement, monitoring and:
retention.
Corporate IT policy for a call center requires that all users be assigned unique user accounts. On discovering that this is not the case for all current users, what is the MOST appropriate recommendation?
Implement individual user accounts for all staff.
During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization’s operational risk documentation only contains a few broadly described types of IT risk. What is the MOST appropriate recommendation in this situation?
Establish regular IT risk management meetings to identify and assess risk and create a mitigation plan as input to the organization’s risk management.
During an audit, the IS auditor discovers that the human resources (HR) department uses a cloud-based application to manage employee records. The HR department engaged in a contract outside of the normal vendor management process and manages the application on its own. Which of the following is of GREATEST concern?
During an audit, the IS auditor discovers that the human resources (HR) department uses a cloud-based application to manage employee records. The HR department engaged in a contract outside of the normal vendor management process and manages the application on its own. Which of the following is of GREATEST concern?
Effective IT governance ensures that the IT plan is consistent with the organization’s:
business plan.
Effective IT governance requires organizational structures and processes to ensure that:
the IT strategy extends the organization’s strategies and objectives.
An enterprise’s risk appetite is BEST established by:
the steering committee.
Errors in audit procedures PRIMARILY impact which of the following risk types?
Detection risk
Establishing the level of acceptable risk is the responsibility of:
senior business management.
A financial enterprise has had difficulties establishing clear responsibilities between its IT strategy committee and its IT steering committee. Which of the following responsibilities would MOST likely be assigned to its IT steering committee?
Approving IT project plans and budgets
A financial services enterprise has a small IT department, and individuals perform more than one role. Which of the following practices represents the GREATEST risk?
The developers promote code into the production environment.
Forahealthcareorganization,whichone of the following reasons MOST likely indicates that the patient benefit data warehouse should remain in-house rather than be outsourced to an offshore operation?
Thereare regulations regarding data privacy.
From a control perspective, the key element in job descriptions is that they:
establish responsibility and accountability for the employee’s actions.
From an IT governance perspective, what is the PRIMARY responsibility of the board of directors? To ensure that the IT strategy:
is aligned with the business strategy.
The initial step in establishing an information security program is the:
adoption of a corporate information security policy statement.
In the context of effective information security governance, the primary objective of value delivery is to:
optimize security investments in support of business objectives.
Involvement of senior management is MOST important in the development of:
strategic plans.
An IS audit department is planning to minimize the risk of short-term employees. Activities contributing to this objective are documented procedures, knowledge sharing, cross-training and:
succession planning.
An IS auditor discovers several IT- based projects were implemented and not approved by the steering committee. What is the GREATEST concern for the IS auditor?
The IT department may not be working toward a common goal.
An IS auditor finds that not all employees are aware of the enterprise’s information security policy. The IS auditor should conclude that:
this lack of knowledge may lead to unintentional disclosure of sensitive information.
An IS auditor found that the enterprise architecture (EA) recently adopted by an organization has an adequate current-state representation. However, the organization has started a separate project to develop a future-state representation. The IS auditor should:
report this issue as a finding in the audit report.
An IS auditor has been assigned to review an organization’s information security policy. Which of the following issues represents the HIGHEST potential risk?
The policy is approved by the security administrator.
An IS auditor identifies that reports on product profitability produced by an organization’s finance and marketing departments give different results. Further investigation reveals that the product definition being used by the two departments is different. What should the IS auditor recommend?
Organizational data governance practices are put in place
An IS auditor is evaluating a newly developed IT policy for an organization. Which of the following factors does the IS auditor consider MOST important to facilitate compliance with the policy upon its implementation?
Existing IT mechanisms enabling compliance
An IS auditor is evaluating management’s risk assessment of information systems. The IS auditor should FIRST review:
threats/vulnerabilities affecting the assets.
An IS auditor is evaluating the IT governance framework of an organization. Which of the following is the GREATEST concern?
Senior management has limited involvement.
An IS auditor is performing a review of an organization’s governance model. Which of the following should be of MOST concern to the auditor?
The information security policy is not periodically reviewed by senior management.
An IS auditor is performing a review of the software quality management process in an organization. The FIRST step should be to:
request all standards adopted by the organization.
An IS auditor is reviewing an IT security risk management program. Measures of security risk should:
consider the entire IT environment.
An IS auditor is reviewing the risk management process. Which of the following is the MOST important consideration during this review?
IT risk is presented in business terms.
An IS auditor is verifying IT policies and finds that some of the policies have not been approved by management (as required by policy), but the employees strictly follow the policies. What should the IS auditor do FIRST?
Report the absence of documented approval.
An IS auditor of a large organization is reviewing the roles and responsibilities of the IT function and finds some individuals serving multiple roles. Which one of the following combinations of roles should be of GREATEST concern for the IS auditor?
System administrators are application programmers.
An IS auditor reviewing the IT organization is MOST concerned if the IT steering committee:
is responsible for determining business goals.
An IS auditor reviews an organizational chart PRIMARILY for:
understanding the responsibilities and authority of individuals.
An IS auditor was hired to review e- business security. The IS auditor’s first task was to examine each existing e-business application, looking for vulnerabilities. What is the next task?
Identify threats and the likelihood of occurrence.
IS control objectives are useful to IS auditors because they provide the basis for understanding the:
desired result or purpose of implementing specific control procedures.
IT governance is PRIMARILY the responsibility of the:
board of directors.
An IT steering committee should:
maintain minutes of its meetings and keep the board of directors informed.
A local area network (LAN) administrator normally is restricted from:
having programming responsibilities.
The MOST important element for the effective design of an information security policy is the:
enterprise risk appetite.
The MOST important point of consideration for an IS auditor while reviewing an enterprise’s project portfolio is that it:
is aligned with the business plan.
The MOST likely effect of the lack of senior management commitment to IT strategic planning is:
technology not aligning with organization objectives.
On which of the following factors should an IS auditor PRIMARILY focus when determining the appropriate level of protection for an information asset?
Results of a risk assessment
An organization has a well-established risk management process. Which of the following risk management practices would MOST likely expose the organization to the greatest amount of compliance risk?
Risk transfer
An organization is considering making a major investment in upgrading technology. Which of the following choices is the MOST important to consider?
A risk analysis
The output of the risk management process is an input for making;
security policy decisions.
Overall quantitative business risk for a particular threat can be expressed as:
a product of the likelihood and magnitude of the impact if a threat successfully exploits a vulnerability.
A poor choice of passwords and unencrypted data transmissions over unprotected communications lines are examples of:
vulnerabilities.
The PRIMARY benefit of implementing a security program as part of a security governance framework is the:
enforcement of the management of security risk.
The PRIMARY objective of implementing corporate governance is to:
provide strategic direction.
The rate of change in technology increases the importance of:
implementing and enforcing sound processes.
Responsibility for the governance of IT should rest with the:
board of directors.
The risk associated with electronic evidence gathering is MOST likely reduced by an email:
archive policy.
Sharing risk is a key factor in which of the following methods of managing risk?
Transferring risk
A small organization has only one database administrator (DBA) and one system administrator. The DBA has root access to the UNIX server, which hosts the database application. How should segregation of duties be enforced in this scenario?
Ensure that database logs are forwarded to a UNIX server where the DBA does not have root access.
A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential impact, the team should:
apply a qualitative approach.
To address the risk of operations staff’s failure to perform the daily backup, management requires that the systems administrator sign off on the daily backup. This is an example of risk:
mitigation.
To aid management in achieving IT and business alignment, an IS auditor should recommend the use of:
an IT balanced scorecard.
To gain an understanding of the effectiveness of an organization’s planning and management of investments in IT assets, an IS auditor should review the:
IT balanced scorecard.
A top-down approach to the development of operational policies helps to ensure:
that they are consistent across the organization.
The ultimate purpose of IT governance is to:
encourage optimal use of IT.
What is the PRIMARY consideration for an IS auditor reviewing the prioritization and coordination of IT projects and program management?
Projects are aligned with the organization’s strategy.
When auditing the IT governance framework and IT risk management practices that exist within an organization, the IS auditor identified some undefined responsibilities regarding IT management and governance roles. Which of the following recommendations is the MOST appropriate?
Implement accountability rules within the organization.
When developing a formal enterprise security program, the MOST critical success factor is the:
effective support of an executive sponsor.
When developing a security architecture, which of the following steps should be executed FIRST?
Defining a security policy
When implementing an IT governance framework in an organization the MOST important objective is:
IT alignment with the business.
When performing a review of a business process reengineering (BPR) effort, which of the following is of PRIMARY concern?
Controls are eliminated as part of the streamlining BPR effort.
When reviewing an organization’s strategic IT plan, an IS auditor should expect to find:
an assessment of the fit of the organization’s application portfolio with business objectives.
When reviewing the development of information security policies, the PRIMARY focus of an IS auditor should be on assuring that these policies:
strike a balance between business and security requirements.
When reviewing the IT strategic planning process, an IS auditor should ensure that the plan:
articulates the IT mission and vision.
When reviewing the IT strategy, an IS auditor can BEST assess whether the strategy supports the organizations’ business objectives by determining whether IT:
plans are consistent with management strategy.
When segregation of duties concerns exist between IT support staff and end users, what would be a suitable compensating control?
Reviewing transaction and application logs
Which of the following BEST supports the prioritization of new IT projects?
Investment portfolio analysis
Which of the following choices is the PRIMARY benefit of requiring a steering committee to oversee IT investment?
To ensure that investments are made according to business requirements
Which of the following does a lack of adequate security controls represent?
Vulnerability
Which of the following does an IS auditor consider to be MOST important when evaluating an organization’s IT strategy? That it:
supports the business objectives of the organization.
Which of the following factors is MOST critical when evaluating the effectiveness of an IT governance implementation?
Determine stakeholder requirements and involvement.
Which of the following inputs adds the MOST value to the strategic IT initiative decision-making process?
The IT project portfolio analysis
Which of the following insurance types provide for a loss arising from fraudulent acts by employees?
Fidelity coverage
Which of the following is a function of an IT steering committee?
Approving and monitoring the status of IT plans and budgets
Which of the following is an implementation risk within the process of decision support systems?
Inability to specify purpose and usage patterns
Which of the following is MOST critical for the successful implementation and maintenance of a security policy?
Assimilation of the framework and intent of a written security policy by all appropriate parties
Which of the following is MOST important to consider when reviewing the classification levels of information assets?
Potential loss
Which of the following is normally a responsibility of the chief information security officer?
Periodically reviewing and evaluating the security policy
Which of the following is of MOST interest to an IS auditor reviewing an organization’s risk strategy?
All likely risk is identified and ranked.
Which of the following is responsible for the approval of an information security policy?
Board of directors
Which of the following is the BEST enabler for strategic alignment between business and IT?
Goals and metrics
Which of the following is the BEST reason to implement a policy that places conditions on secondary employment for IT employees?
To prevent conflicts of interest
Which of the following is the BEST way to ensure that organizational policies comply with legal requirements?
Periodic review by subject matter experts
Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems?
Unauthorized users may have access to modify data.
Which of the following is the initial step in creating a firewall policy?
Identification of network applications to be externally accessed
Which of the following is the MOST important element for the successful implementation of IT governance?
Identifying organizational strategies
Which of the following IT governance good practices improves strategic alignment?
Top management mediates between the imperatives of business and technology.
Which of the following MOST likely indicates that a customer data warehouse should remain in-house rather than be outsourced to an offshore operation?
Privacy laws can prevent cross-border flow of information.
Which of the following should an IS auditor recommend to BEST enforce alignment of an IT project portfolio with strategic organizational priorities?
Select projects according to business benefits and risk.
Which of the following should be considered FIRST when implementing a risk management program?
An understanding of the organization’s threat, vulnerability and risk profile
Which of the following should be included in an organization’s information security policy?
The basis for access control authorization
Which of the following should be of GREATEST concern to an IS auditor when reviewing an information
security policy? The policy:
is driven by an IT department’s objectives.
Which of the following should be the MOST important consideration when deciding on areas of priority for IT governance implementations?
Business risk
Which of the following user profiles should be of MOST concern to an IS auditor when performing an audit of an electronic funds transfer (EFT) system?
Three users with the ability to capture and verify their own messages
While reviewing the IT governance processes of an organization, an IS auditor discovers the firm has recently implemented an IT balanced scorecard (BSC). The implementation is complete; however, the IS auditor notices that performance indicators are not objectively measurable. What is the PRIMARY risk presented by this situation?
Misleading indications of IT performance may be presented to management.
