Domain 2 - IT Governance & Management Flashcards
Who is responsible for development of IS Security Policy?
Board of Directors
Greatest concern for IS auditor with respect to outsourcing of IT services are?
The concern that outsourced activities are “core” & provide a “differentiated advantage” to the organization. Because this should not be outsourced.
Who is responsible in managing compliance with contract for the outsourced services?
Organization’s IT management
Advantage of a bottom-up approach to development of policies
They are more likely to be derived based on risk assessment results
A comprehensive & effective e-mail policy should address what issues?
1) e-mail structure
2) policy enforcement
3) monitoring
4) retention
What kind of responsibilities LAN administrator should & should not have?
LAN administrator should NOT have application programming responsibilities but MAY HAVE systems programming & end-user responsibilities
From a control perspective, the key element in job descriptions is?
They establish responsibility & accountability for the employee’s actions
Phishing is best mitigated through?
Because a Phishing attack exploits people, the risk is best mitigated through user security “awareness training”
The MOST important security consideration to organization that wants to reduce its IS infrastructure by using servers provided by a Platform as a Service (PaaS) vendor are?
Reviewing the need for encryption of stored & transmitted application data
Who is responsible for IT governance?
Board of directors & senior management
What is the reasons to request & review copy of each vendor’s BCP?
To evaluate the adequacy of the service bureau’s plan & to assist his/ her company in implementing a complementary plan
FIRST step in establishing IS Security Program is?
Adoption of a corporate information security policy statement
Primary method for assuring the integrity of new staff is?
Background screening
Risk Assessment Steps
1) Identify & assess the relative criticality of information assets
2) Identify potential threats to those assets
3) Identify potential vulnerabilities to identified threats
4) Assess the business impact of a threat that takes advantage of an unmitigated vulnerability
Role of Chief Security Officer (CSO)
Periodically reviews & evaluates the security policy
Role of System Development & Maintenance
Tests & evaluates user applications
Role of Network & Database Administrators
Grant & revoke access to IT resources after obtaining approval from data owners
Role of Data Owners
Approve access to data & applications
COBiT’s define “Control Objectives” as?
A statement of desired result or purpose to be achieved by implementing control procedures in a particular IT activity
Best evidence of evaluating adequacy of a security awareness program
1) Periodic reviews
2) Comparison with best practices
IT Steering Committee’s responsibilities
Approving & monitoring major projects, the status of IS plan & budgets
What should be utilize if maintenance vendors requiring remote access to critical network resources for remote administration?
They should utilize a Secure Shell Tunnel
Risk tolerance or the acceptable level of risk is MOST APPROPRIATELY determined by?
Senior Business Management
CobiT IT Domain is best defined as?
A natural grouping of processes, often matching an organizational domain of responsibility
Advantage of a top-down approach to development of operational policies
Help ensure that they are consistent across the organization
Purpose of Enterprise Architecture (EA)
EA ensures technology investments are consistent with platform, data & development standards of the IT organization.
EA defines both current & future state in areas such as use of standard platforms, databases or programming languages.
If new application uses a database or operating system that’s not part of EA, this increases cost & complexity of the solution & ultimately delivers less value to business.
COBiT defines “Control” as?
The policies, procedures, practices & organizational structures, designed to provide reasonable assurance that business objectives will be achieved & that undesired events will be prevented or detected & corrected.
What is software escrow?
They are clauses in a contract that ensures “software source code” will still be available to the organization in the event of a vendor issue, such as insolvency & copyright issues.
What is most important function for IS management when service is outsourced?
It is “monitoring the outsourced provider’s performance”.
What is IT balanced scorecard?
It is a business governance tool allowing evaluation of IT performance based upon:
1) customer satisfaction
2) Internal process efficiency
3) Innovation capacity
It is used to achieve better alignment between IT governance & business objectives
What is the cause of vulnerabilities?
It is primarily result from inadequate security controls
In IS audit context, what is snapshots?
It refers to a point-in-time image of a system, network, or application that can be used to assess its state and identify any vulnerabilities or issues.
For auditing purposes, it allows auditors to compare current & previous state of a system or environment, and then identify any changes or discrepancies that may have occurred.
What is critical to successful implementation & maintenance of security policy?
Assimilation (“the process of taking in and fully understanding information or ideas”) of framework & intent of written security policy by all appropriate parties
When auditing Quality Management System (QMS), what is the PRIMARY focus of IS auditors?
Collecting evidence to show that continuous improvement targets are being monitored. Because continuous & measurable improvement of quality is the primary requirement to achieve business objective for QMS.
