IT Governance Flashcards

1
Q

A strong IT governance model will have practices and policies with the following components:

A
  • availability
  • architecture
  • metadata
  • policy
  • quality
  • regulatory compliance and privacy
  • security
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the Information Technology Infrastructure Library (ITIL) framework?

A
  • originally created by the British government that evolved into a JV between the gov and the private firm Axelos
  • a globally recognized IT governance framework that is more focused on the delivery of IT services across the following 4 domains:
    1. Organizations and people
    2. Info and technology
    3. Partners and suppliers
    4. Value streams and processes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is corporate strategy?

A
  • the way in which an org achieves the goals and objectives established by its vision
  • shapes an org’s operations and business model, which could be low cost leadership strategy, product differentiation strategy or and ESG strategy
  • the chosen corporate strategy must be supported by an appropriate IT strategy and IT governance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is IT strategy?

A
  • aligning IT strategy with corporate strategy objectives will optimize an org’s efforts in achieving those objectives
  • documentation of this strategy and architeccture will give mgmt a strong understanding of the company’s capabilities which will play a key role in defining the activities in which the org should engage
  • the following may impact a co’s corporate strategy: IT personnel, network design (decentralized vs centralized and physical vs virtual), cybersecurity, and disaster recovery and business continuity
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Define the role of people within IT governance

A
  • are the decision makers and drivers of the way IT governance is structured
  • involvement of leaders and members at all levels of the org is necessary for IT governance to be executed effectively

Board of Directors- oversees and appoints executive postions, typically the CEO; evaluates policies

Executive Mgmt- enforces policies, provides infrastructure and sets “tone at the top”

Middle Mgmt- carries out policies

IT Support Staff- executives, network engineers, help desk, cybersecurity experts, function-specific roles

Accountants- stewards, part of project development, testers

End Users- best equipped to understand the day-to-day technology needs for organizational activities

External Stakeholders- Vendors, customers, government, auditors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Describe the project development teams related to governance execution

A
  • typically includes members of mgmt, IT systems personnel, accountants and system users
  • this team is responsible for project planning and tracking, IT infrastructure design, change mgmt and monitoring project performance
  • monitor the project to ensure timely and cost effective completion
  • managing the human element
  • frequently communicating with users and holding regular meetings to consider ideas and to discuss progress so there are no surprises at project completion
  • manage risk and escalate issues that cannot be resolved within the team
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Describe the steering committee related to governance execution

A
  • responsible for the oversight of the info systems function
  • consists of high level mgmt and executives (CIO, the controller, IT department heads)
  • develop and communicate strategic goals
  • reviewing the iT budget and allocate IT costs
  • provides ongoing guidance and addresses big picture issues that arise
  • ensures mgmt engagement and participation
  • monitors the project development team’s progress
  • has a more holistic view of the enterprise than the project development team which enables the committe to address concerns that may go across business units and departments while also facilitating the coordination and integration of info systems activities to increase goal congruence and reduce goal conflict
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a Business Impact Analysis (BIA)?

A
  • identifies the business units, departments and processes that are essential to the survival of an entity as well as the organizational impact in the event of failure or disruption
  • will identify how quickly essential business units can return to full operation following a disaster
  • will identify the resources required to resume business operations

Objectives:
- estimate the quantitative or financial impact to the organization, assuming a worst case scenario
- estimate the qualitative impact to the org and the effect it could have on operations, assuming a worst case scenario
- identify the org’s business unit processes and the estimated recovery time frame

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Define high impact

A

the department:
- cannot operate without this resource
- may experience a high recovery cost
- may fail to meet the org’s objectives or maintain its reputation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Define medium impact

A

the department:
- could partially function temporarily for a period of days or a week
- may experience some cost of recovery
- may fail to meet the org’s objectives or maintain its reputation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Define low impact

A

the department:
- could operate for an extended period of time or
- may notice an effect on achieving the org’s objectives or maintaining its reputation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Define high likelihood

A
  • the risk is highly probable, has occurred recently, can occur frequently or controls to prevent it are ineffective
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Define medium likelihood

A
  • the risk could occur but controls are in place that may impede successful exercise of the vulnerability
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Define low likelihood

A
  • the risk is improbable or controls are in place to prevent or significantly impede successful exercise of the vulnerability
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Responses can be classified using the following risk actions:

A

Immediate action (I)- take corrective action as soon as possible

Delayed action (D)- implement corrective actions within a reasonable time frame

No action (N)- take no corrective action. accept the level of risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Management would review all high-impact resources that have high or medium risk actions and evaluate the mitigation strategy using the following steps:

A
  1. Identify mitigation recommendations- potential mitigation efforts inclusive of IT conclusions, personnel impacts, policies and procedures must be compiled, reviewed and documented
  2. Evaluate mitigation recommendations- once mitigation recommendations have been documented, they are reviewed to ensure the recommendation would appropriately safeguard the asset by mitigating the associated risks
  3. Cost benefit analysis- the next step is to perform a cost benefit analysis by analyzing the expected loss based on the impact and likelihood categories, then compare that loss with the cost of implementing the proposed recommendations
  4. Choose, plan and implement- after analyzing the proposed mitigation recommendations, mgmt has 3 options: accept, transfer and mitigate the risk