Domain 2 - IT Governance & Management Flashcards

1
Q

Who is responsible for development of IS Security Policy?

A

Board of Directors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Greatest concern for IS auditor with respect to outsourcing of IT services are?

A

The concern that outsourced activities are “core” & provide a “differentiated advantage” to the organization. Because this should not be outsourced.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Who is responsible in managing compliance with contract for the outsourced services?

A

Organization’s IT management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Advantage of a bottom-up approach to development of policies

A

They are more likely to be derived based on risk assessment results

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A comprehensive & effective e-mail policy should address what issues?

A

1) e-mail structure
2) policy enforcement
3) monitoring
4) retention

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What kind of responsibilities LAN administrator should & should not have?

A

LAN administrator should NOT have application programming responsibilities but MAY HAVE systems programming & end-user responsibilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

From a control perspective, the key element in job descriptions is?

A

They establish responsibility & accountability for the employee’s actions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Phishing is best mitigated through?

A

Because a Phishing attack exploits people, the risk is best mitigated through user security “awareness training”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The MOST important security consideration to organization that wants to reduce its IS infrastructure by using servers provided by a Platform as a Service (PaaS) vendor are?

A

Reviewing the need for encryption of stored & transmitted application data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Who is responsible for IT governance?

A

Board of directors & senior management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the reasons to request & review copy of each vendor’s BCP?

A

To evaluate the adequacy of the service bureau’s plan & to assist his/ her company in implementing a complementary plan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

FIRST step in establishing IS Security Program is?

A

Adoption of a corporate information security policy statement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Primary method for assuring the integrity of new staff is?

A

Background screening

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Risk Assessment Steps

A

1) Identify & assess the relative criticality of information assets
2) Identify potential threats to those assets
3) Identify potential vulnerabilities to identified threats
4) Assess the business impact of a threat that takes advantage of an unmitigated vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Role of Chief Security Officer (CSO)

A

Periodically reviews & evaluates the security policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Role of System Development & Maintenance

A

Tests & evaluates user applications

17
Q

Role of Network & Database Administrators

A

Grant & revoke access to IT resources after obtaining approval from data owners

18
Q

Role of Data Owners

A

Approve access to data & applications

19
Q

COBiT’s define “Control Objectives” as?

A

A statement of desired result or purpose to be achieved by implementing control procedures in a particular IT activity

20
Q

Best evidence of evaluating adequacy of a security awareness program

A

1) Periodic reviews
2) Comparison with best practices

21
Q

IT Steering Committee’s responsibilities

A

Approving & monitoring major projects, the status of IS plan & budgets

22
Q

What should be utilize if maintenance vendors requiring remote access to critical network resources for remote administration?

A

They should utilize a Secure Shell Tunnel

23
Q

Risk tolerance or the acceptable level of risk is MOST APPROPRIATELY determined by?

A

Senior Business Management

24
Q

CobiT IT Domain is best defined as?

A

A natural grouping of processes, often matching an organizational domain of responsibility

25
Advantage of a top-down approach to development of operational policies
Help ensure that they are **consistent across the organization**
26
Purpose of Enterprise Architecture (EA)
EA **ensures technology investments are consistent** with **platform, data & development standards** of the IT organization. EA **defines both current & future state** in areas such as use of standard platforms, databases or programming languages. If new application uses a database or operating **system that's not part of EA**, this **increases cost & complexity** of the solution & ultimately delivers **less value** to business.
27
COBiT defines "Control" as?
The **policies, procedures, practices & organizational structures**, designed to provide **reasonable assurance** that **business objectives** will be achieved & that **undesired events** will be **prevented or detected & corrected**.
28
What is software escrow?
They are clauses in a contract that **ensures "software source code" will still be available** to the organization in the event of a **vendor issue**, such as insolvency & copyright issues.
29
What is most important function for IS management when service is outsourced?
It is **"monitoring the outsourced provider's performance"**.
30
What is IT balanced scorecard?
It is a business **governance tool allowing evaluation of IT performance** based upon: **1) customer satisfaction** **2) Internal process efficiency** **3) Innovation capacity** It is **used to achieve better alignment** between IT governance & business objectives
31
What is the cause of vulnerabilities?
It is primarily result from **inadequate security controls**
32
In IS audit context, what is snapshots?
It refers to a **point-in-time image** of a system, network, or application that can be **used to assess its state** and **identify any vulnerabilities or issues**. For auditing purposes, it allows auditors to **compare current & previous state** of a system or environment, and then **identify any changes or discrepancies** that may have occurred.
33
What is critical to successful implementation & maintenance of security policy?
**Assimilation** *("the process of taking in and fully understanding information or ideas")* of **framework & intent of written security policy** by all appropriate parties
34
When auditing Quality Management System (QMS), what is the PRIMARY focus of IS auditors?
**Collecting evidence** to show that **continuous improvement targets are being monitored**. Because continuous & measurable improvement of quality is the primary requirement to achieve business **objective for QMS**.