IT Governance Flashcards

1
Q

What is the initial step in establishing an information security program?

A

The adoption of a corporate information security policy statement

i.e. This reflects the intent and support provided by executive management for proper security and establishes a starting point for developing the security program

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

WHAT would be the “initial” step in creating a firewall policy?

A

The identification of network applications to be externally accessed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Who in an organization has primary responsibility for IT governance?

A

The board of directors

i.e. IT governance is primarily the responsibility of the executives and shareholders (as represented by the board of directors)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is a critical step for the successful implementation and maintenance of a security policy?

A

Assimilation of the framework and intent of a written security policy by all appropriate parties

i.e. This is critical to the successful implementation and maintenance of the security policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What type of policy would mitigate the risk associated with electronic evidence gathering?

A

An e-mail archive policy

i.e. With a policy of well-archived email records, access to or retrieval of specific email records to comply with legal requirements is possible

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What would be considered a proper expression of the overall quantitative business risk for a particular threat?

A

a product of the likelihood and magnitude of the impact if a threat successfully exploits a vulnerability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a major risk of an inadequate policy definition for ownership of data and systems?

A

Unauthorized users may have access to modify data

i.e. Without a policy defining who has the responsibility for granting access to specific systems, there is an increased risk that individuals can gain (be given) system access when they should not have authorization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is an advantage of system prototyping?

A

That they can provide significant time and cost savings

How? - through better user interaction and the ability to rapidly adapt to changing requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the primary objective of “value delivery” (in the context of effective information security governance)?

A

Optimize security investments in support of business objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What should the IS auditor ensure when reviewing the IT strategic planning process?

A

That it articulates the IT mission and vision

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

HOW is transparency of IT’s cost, value and risk primarily achieved (i.e. as a driver of IT governance)?

A

Through performance measurement

How? - Because it provides information to the stakeholders on how well the enterprise is performing when compared to objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

HOW can an IT auditor gain an understanding of the effectiveness of an organization’s planning and management of investments in IT assets?

A

By reviewing the IT Balanced Scorecard

i.e. This tool provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

WHAT is the Ultimate purpose of IT governance in an organization?

A

To encourage optimal use of IT

i.e. It is intended to specify the combination of decision rights and accountability that is best for the enterprise. It is different for every enterprise.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

WHAT is an important consideration when deciding on areas of priority for IT governance implementations?

A

Business risk

WHY? - Because priority should be given to those areas that represent a known risk to the enterprise operations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

True or False.

Users should have the ability to capture and verify their own messages.

A

FALSE

The verification of messages should not be allowed by the person who sent the message.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What would be considered an “implementation risk” within the process of decision support systems?

A

An inability to specify purpose and usage patterns

i.e. A risk that developers need to anticipate while implementing a DSS

17
Q

WHOM within the organization should establish their risk appetite?

A

The Steering Committee

WHY? - Because the committee draws its representation from senior management.

18
Q

WHAT is a critical success factor when developing a formal enterprise security program?

A

The effective support of an executive sponsor

19
Q

True or False.

An Enterprise-Architecture includes a current state representation ONLY.

A

FALSE.

An Enterprise-Architecture should include a current and future state representation.

i.e. If the EA does not include a future-state representation, it is not complete, and this issue should be reported as a finding.

20
Q

WHAT is an IS Auditor’s first step when performing a review of the software quality management process?

A

Request all standards adopted by the organization

i.e. The first step is to know the standards and what policies and procedures are mandated (E.g. standards adopted by the organization) for the organization, then to document the controls and measure compliance