Domain 2 - IT Governance & Management

Question 1

Who is responsible for development of IS Security Policy?

Answer 1

Board of Directors

Question 2

Greatest concern for IS auditor with respect to outsourcing of IT services are?

Answer 2

The concern that outsourced activities are “core” & provide a “differentiated advantage” to the organization. Because this should not be outsourced.

Question 3

Who is responsible in managing compliance with contract for the outsourced services?

Answer 3

Organization’s IT management

Question 4

Advantage of a bottom-up approach to development of policies

Answer 4

They are more likely to be derived based on risk assessment results

Question 5

A comprehensive & effective e-mail policy should address what issues?

Answer 5

1) e-mail structure
2) policy enforcement
3) monitoring
4) retention

Question 6

What kind of responsibilities LAN administrator should & should not have?

Answer 6

LAN administrator should NOT have application programming responsibilities but MAY HAVE systems programming & end-user responsibilities

Question 7

From a control perspective, the key element in job descriptions is?

Answer 7

They establish responsibility & accountability for the employee’s actions

Question 8

Phishing is best mitigated through?

Answer 8

Because a Phishing attack exploits people, the risk is best mitigated through user security “awareness training”

Question 9

The MOST important security consideration to organization that wants to reduce its IS infrastructure by using servers provided by a Platform as a Service (PaaS) vendor are?

Answer 9

Reviewing the need for encryption of stored & transmitted application data

Question 10

Who is responsible for IT governance?

Answer 10

Board of directors & senior management

Question 11

What is the reasons to request & review copy of each vendor’s BCP?

Answer 11

To evaluate the adequacy of the service bureau’s plan & to assist his/ her company in implementing a complementary plan

Question 12

FIRST step in establishing IS Security Program is?

Answer 12

Adoption of a corporate information security policy statement

Question 13

Primary method for assuring the integrity of new staff is?

Answer 13

Background screening

Question 14

Risk Assessment Steps

Answer 14

1) Identify & assess the relative criticality of information assets
2) Identify potential threats to those assets
3) Identify potential vulnerabilities to identified threats
4) Assess the business impact of a threat that takes advantage of an unmitigated vulnerability

Question 15

Role of Chief Security Officer (CSO)

Answer 15

Periodically reviews & evaluates the security policy

Question 16

Role of System Development & Maintenance

Answer 16

Tests & evaluates user applications

Question 17

Role of Network & Database Administrators

Answer 17

Grant & revoke access to IT resources after obtaining approval from data owners

Question 18

Role of Data Owners

Answer 18

Approve access to data & applications

Question 19

COBiT’s define “Control Objectives” as?

Answer 19

A statement of desired result or purpose to be achieved by implementing control procedures in a particular IT activity

Question 20

Best evidence of evaluating adequacy of a security awareness program

Answer 20

1) Periodic reviews
2) Comparison with best practices

Question 21

IT Steering Committee’s responsibilities

Answer 21

Approving & monitoring major projects, the status of IS plan & budgets

Question 22

What should be utilize if maintenance vendors requiring remote access to critical network resources for remote administration?

Answer 22

They should utilize a Secure Shell Tunnel

Question 23

Risk tolerance or the acceptable level of risk is MOST APPROPRIATELY determined by?

Answer 23

Senior Business Management

Question 24

CobiT IT Domain is best defined as?

Answer 24

A natural grouping of processes, often matching an organizational domain of responsibility

Question 25

Advantage of a top-down approach to development of operational policies

Answer 25

Help ensure that they are **consistent across the organization**

Question 26

Purpose of Enterprise Architecture (EA)

Answer 26

EA **ensures technology investments are consistent** with **platform, data & development standards** of the IT organization. EA **defines both current & future state** in areas such as use of standard platforms, databases or programming languages. If new application uses a database or operating **system that's not part of EA**, this **increases cost & complexity** of the solution & ultimately delivers **less value** to business.

Question 27

COBiT defines "Control" as?

Answer 27

The **policies, procedures, practices & organizational structures**, designed to provide **reasonable assurance** that **business objectives** will be achieved & that **undesired events** will be **prevented or detected & corrected**.

Question 28

What is software escrow?

Answer 28

They are clauses in a contract that **ensures "software source code" will still be available** to the organization in the event of a **vendor issue**, such as insolvency & copyright issues.

Question 29

What is most important function for IS management when service is outsourced?

Answer 29

It is **"monitoring the outsourced provider's performance"**.

Question 30

What is IT balanced scorecard?

Answer 30

It is a business **governance tool allowing evaluation of IT performance** based upon: **1) customer satisfaction** **2) Internal process efficiency** **3) Innovation capacity** It is **used to achieve better alignment** between IT governance & business objectives

Question 31

What is the cause of vulnerabilities?

Answer 31

It is primarily result from **inadequate security controls**

Question 32

In IS audit context, what is snapshots?

Answer 32

It refers to a **point-in-time image** of a system, network, or application that can be **used to assess its state** and **identify any vulnerabilities or issues**. For auditing purposes, it allows auditors to **compare current & previous state** of a system or environment, and then **identify any changes or discrepancies** that may have occurred.

Question 33

What is critical to successful implementation & maintenance of security policy?

Answer 33

**Assimilation** *("the process of taking in and fully understanding information or ideas")* of **framework & intent of written security policy** by all appropriate parties

Question 34

When auditing Quality Management System (QMS), what is the PRIMARY focus of IS auditors?

Answer 34

**Collecting evidence** to show that **continuous improvement targets are being monitored**. Because continuous & measurable improvement of quality is the primary requirement to achieve business **objective for QMS**.