IT Governance Flashcards
What is the initial step in establishing an information security program?
The adoption of a corporate information security policy statement
i.e. This reflects the intent and support provided by executive management for proper security and establishes a starting point for developing the security program
WHAT would be the “initial” step in creating a firewall policy?
The identification of network applications to be externally accessed
Who in an organization has primary responsibility for IT governance?
The board of directors
i.e. IT governance is primarily the responsibility of the executives and shareholders (as represented by the board of directors)
What is a critical step for the successful implementation and maintenance of a security policy?
Assimilation of the framework and intent of a written security policy by all appropriate parties
i.e. This is critical to the successful implementation and maintenance of the security policy
What type of policy would mitigate the risk associated with electronic evidence gathering?
An e-mail archive policy
i.e. With a policy of well-archived email records, access to or retrieval of specific email records to comply with legal requirements is possible
What would be considered a proper expression of the overall quantitative business risk for a particular threat?
a product of the likelihood and magnitude of the impact if a threat successfully exploits a vulnerability.
What is a major risk of an inadequate policy definition for ownership of data and systems?
Unauthorized users may have access to modify data
i.e. Without a policy defining who has the responsibility for granting access to specific systems, there is an increased risk that individuals can gain (be given) system access when they should not have authorization.
What is an advantage of system prototyping?
That they can provide significant time and cost savings
How? - through better user interaction and the ability to rapidly adapt to changing requirements
What is the primary objective of “value delivery” (in the context of effective information security governance)?
Optimize security investments in support of business objectives
What should the IS auditor ensure when reviewing the IT strategic planning process?
That it articulates the IT mission and vision
HOW is transparency of IT’s cost, value and risk primarily achieved (i.e. as a driver of IT governance)?
Through performance measurement
How? - Because it provides information to the stakeholders on how well the enterprise is performing when compared to objectives.
HOW can an IT auditor gain an understanding of the effectiveness of an organization’s planning and management of investments in IT assets?
By reviewing the IT Balanced Scorecard
i.e. This tool provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction
WHAT is the Ultimate purpose of IT governance in an organization?
To encourage optimal use of IT
i.e. It is intended to specify the combination of decision rights and accountability that is best for the enterprise. It is different for every enterprise.
WHAT is an important consideration when deciding on areas of priority for IT governance implementations?
Business risk
WHY? - Because priority should be given to those areas that represent a known risk to the enterprise operations.
True or False.
Users should have the ability to capture and verify their own messages.
FALSE
The verification of messages should not be allowed by the person who sent the message.