Domain 2: Governance & Management of IT Flashcards
What is the difference between Governance and Management?
Governance aims to provide a strategy to obtain business objectives. Managment aims to implement procedures to achieve the business objectives set by the governance body.
What is the primary reason an IS auditor should reviw the organisational chart?
To understand the structure of the organisation.
Who has the final responsibility for IT governance?
Board of directors / CEO
What should IT departments do in order to achieve the organisations objectives?
The IT department should have long and short-term plans that are consistent with the organisation’s buisness objectives.
What is a greatest concern with respect to an organisations governance model?
Senior mangement does not review information security policies
Having approved suppliers for the company’s products is related to what?
Strategic planning
Who is responsible for IT governance?
The board of directors. They are required to ensure that IT activities are moving in the desired direction.
An IT strategic plan should contain?
The IT strategic plan must contain a clear statement regarding the mission and vision of IT.
What is the main objective of IT governance?
Ensuring the optimal use of technology resources
What is the primary purpose of corporate governance?
Corporate governance provides a strategic direction to the organisation as a whole.
What is COBIT?
The Control Objective for Information Technology is an EGIT framework that ensures IT is aligned with business objectives
What is ISO27001?
ISO 27000 is a set of best practices for information security programs.
What is ITIL?
The Information Technology Infrastructure Library is a detailed framework for the operational service management of IT.
What is O-ISM3?
The Open Information Security Management Maturity Model is a process-based ISM maturity model for security.
What is an IT standard?
An IT standard is a mandatory requirement to be followed in order to comply with a given framework or certification.
What is a policy?
A policy is a set of ideas or strategies that are used as a basis for decision making. They are the high-level statements of direction by management.
What is a procedure?
Procedures are detailed steps and action that help support the policy objectives.
What are guidelines?
Guidelines are additional details to help execute procedures.
What should the Information security policy contain?
This should contain the managements commitment for the safeguarding of information assets
When should the information security policy be reviewed?
At least annually or when there is a significant change to the envrionment of the business.
What should be the first step for the auditor after discovering that IT policies are not approved by management?
Report the findings.
How can policy compliance be ensured?
Existing IT systems should be able to enable compliance.
What should the Information security policy include?
This should include something about access control
What is the most important factor for successful implementation of a security policy?
That it is delivered and acknowledged by all users
What is the most important concern while reviewing the information security policy?
That the IT department’s objectives drive the policy and are not alligned with the organisations overall objectives.
What is the most important factor in determining the appropiate level of protection?
The outcome of a risk assessment because it considers risks on the basis of probability and impact.
What is the first point of reference for an IS auditor conducting an audit?
Approved policies.
What is the most important factor when developing an information security policy?
Risk appetite as some risks will have to be accepted by the business to meet business objectives.
Who is apart of the Strategy Committee?
This committee consits of members of the board and specialist non-members of the board.
What is the overall job of the IT strategy committee?
To advise the board on the IT strategy.
What is the overall job of the IT steering committee?
Responsible for the implementation and monitoring
Who does ownership lie with in regards to the system development project?
User management
Who does accountability for ensuring relevant controls over IS resources rest with?
The resource owner
Who is ultimately responsible for internal control?
Senior Management
Who has overall responsibility for system development projects?
The project steering committee
Who is the most suitable person to be appointed as chair of the steering committee?
An executive-level officer
What is the main advantage of EA?
Enterprise Architecture is to help with technology selection and adoption
What is the best level of control when customised software is developed by a third-party vendor?
An escrow agreement
What is one of the most valuable factors regarding technology transition rate?
Change control includes the application and execution of good change management systems
What are all of the risk management process steps?
Asset identification, the identification of threat and vulnerabilites, evaluation of impact, calculation of risk and risk response
What are all of the risk management process steps?
Asset identification, the identification of threat and vulnerabilites, evaluation of impact, calculation of risk and risk response
What are the risk analysis methods?
Qualitative, Semi-quantitative and quantitative
What are some risk treatment options?
Mitigate, Accept, Avoid, Transfer
What is the first step when implementing a risk management program?
Asset identification followed by determining threats and vulnerabilites
When auditing a organisations risk management procedure, what should be reviewed first?
Threats and vulnerabilities affecting the assets should be reviewed first.
When establishing the level of acceptable risk, who does the responsibility lie with?
Senior business management
What is fidelity coverage?
Fidelity insurance is used by an employer to protect against losses caused by a dishonest or disgruntled employee
What is a major factor to consider in relation to offshore data storage/transfer?
privacy laws
What is a concern surrounding the use of cloud services?
Compliance with laws and regulations
When it is not possible to implement segregation of duties, what compensation control should be put in place?
Reviewing transaction and application logs will help to deter employees from misusing their powers
What is a risk that an auditor should be aware of when reviewing a company that uses cross-training practices?
If all parts of a sytem are known to only one person, that person may abuse their powers
What is the most important consideration when reviewing an approved software product list?
IT products should be reviewed periodcally to ensure new or emerging risks are identifed and addressed
What clause in an outsourcing contract will help improve the level of service and reduce costs?
Performance bonuses as it provdes the service provider with incentives to perform
What clause is most important when reviewing and floating a Request for Proposal?
References from other customers
What is a major concern when reviewing a system development approach?
The lack of a quality plan in the contract
What is the BEST control to monitor the service provision of a 3rd party?
Conduct periodic audit reviews
What is the first factor to be considered when reviewing the SLA?
Whether the contractual warranties support the requirements of the organisation.
What is an idemnity clause?
An indemnity clause is a provision in a contract that requires one party to compensate the other party for any losses or damages that they may incur as a result of the contract
