Organizational Strategy, Goals, and Objectives Flashcards
Domain 1
The GREATEST risk posed by an absence of strategic planning is:
A.increase in the number of licensing violations.
B.increase in the number of obsolete systems.
C.improper oversight of IT investment.
D.unresolved current and past problems.
C is the correct answer.
Justification
Licensing violations can lead to fines and penalties from software companies; however, absence of strategic planning does not necessarily entail an increase in licensing violations.
The number of obsolete systems can increase if strategic planning lapses; however, improper or negligent oversight of IT investment is the more fundamental direct risk, as investment informs the execution of future strategy and ensures that new systems align with business objectives.
Improper oversight of IT investment is the greatest risk. Without proper oversight from management, IT investment may fail to align with business strategy, and IT expenditures may not support business objectives.
Strategic planning is future-oriented, whereas unresolved current and past problems are tactical in nature.
Domain
1Governance
Task Statement
3Identify threats and vulnerabilities to the organization’s people, processes, and technology.
Knowledge Statement
1A1Organizational Strategy, Goals, and Objectives
Which of the following signifies the need to review an enterprise’s risk practices?
A.Business owners regularly challenge risk assessment findings.
B.Manufacturing assigns its own internal risk management roles.
C.The finance department finds exceptions during its yearly risk review.
D.Sales department risk management procedures were last reviewed 11 months ago.
A is the correct answer.
Justification
An enterprise’s risk management practices must be clearly understood and supported by business stakeholders. This principle must be documented in the enterprise’s risk management policy/framework/plan with senior management approval and direction. Business owners who challenge the risk assessment findings either do not support the findings or do not understand them clearly.
Assigning internal risk management roles to staff is what each department in the enterprise should do.
It is common to find exceptions during a review that need to be addressed. This is a normal and expected result of a yearly review.
Normally, a yearly review of risk management procedures is sufficient to keep them up to date.
Domain
1Governance
Task Statement
8Promote a risk-aware culture by contributing to the development and implementation of security awareness training.
Knowledge Statement
1A1Organizational Strategy, Goals, and Objectives
Which of the following choices should drive the IT plan?
A.Strategic planning and business requirements
B.Technology and operational procedures
C.Compliance with laws and regulations
D.Project plans and stakeholder requirements
A is the correct answer.
Justification
IT exists to support business objectives. Management of enterprise IT should align the IT plan closely with the business.
IT exists to support business objectives. The IT plan should consider technology and procedures, but should not eclipse business strategy, which would risk creating a gap between strategy and IT.
IT exists to support business objectives. Compliance with laws and regulations should be evaluated in the same manner as any other risk.
IT exists to support business objectives. When IT projects are based on a project-by-project approach, effort is often duplicated or wasted, and results are likely to be incompatible across the enterprise.
Domain
1Governance
Task Statement
22Report relevant risk and control information to applicable stakeholders to facilitate risk-based decision-making.
Knowledge Statement
1A1Organizational Strategy, Goals, and Objectives
Whether a risk has been reduced to an acceptable level should be determined by:
A.information systems requirements.
B.information security requirements.
C.international standards.
D.enterprise requirements.
D is the correct answer.
Justification
Information systems requirements should not make the ultimate determination.
Information security requirements should not make the ultimate determination.
Because each enterprise is unique, international standards do not necessarily represent the best solution, which depends on local risk appetite and other requirements.
Enterprise requirements as dictated by enterprise goals and objectives should determine when a risk has been reduced to an acceptable level. Information systems and security requirements and standards may help inform enterprise requirements, but in themselves lack the critical context of enterprise business goals.
Domain
1Governance
Task Statement
20Review the results of control assessments to determine the effectiveness and maturity of the control environment.
Knowledge Statement
1A1Organizational Strategy, Goals, and Objectives
Which of the following is MOST important to determine when defining risk management strategies?
A.Risk assessment criteria
B.IT architecture complexity
C.Enterprise disaster recovery plan
D.Business objectives and operations
D is the correct answer.
Justification
Information on the internal and external environments must be collected to define a strategy and identify its impact. Risk assessment criteria alone are not sufficient.
IT architecture complexity is more directly related to assessing risk than defining strategies.
An enterprise disaster recovery plan is more directly related to mitigating the risk.
While defining risk management strategies, the risk practitioner needs to analyze the enterprise’s objectives and risk tolerance and define a risk management framework based on this analysis. Some enterprises may accept known risk, while others may invest in and apply mitigating controls to reduce risk.
Domain
1Governance
Task Statement
1Collect and review existing information regarding the organization’s business and IT environments.
Knowledge Statement
1A1Organizational Strategy, Goals, and Objectives
When assessing strategic IT risk, the FIRST step is:
A.summarizing IT project risk.
B.understanding enterprise strategy from senior executives.
C.establishing enterprise architecture strategy.
D.reviewing IT incident reports from service delivery.
B is the correct answer.
Justification
Summarizing project risk does not necessarily facilitate understanding of all risk. Unintended consequences, reputation and brand risk, and strategic objectives should all be considered in order to assess strategic IT risk.
Strategic IT risk is related to the strategy and objectives of the enterprise. Senior executives provide the enterprise view of dependencies and expectations for IT, which aids understanding of potential risk.
Enterprise architecture (EA) is fundamentally concerned with producing a view of the current state of IT, establishing a vision for the future state, and setting strategy to realize it (preferably by optimizing resource risk while providing benefit). EA is informed by understanding the enterprise strategy and views of senior executives, which change rapidly in the current business environment and should be reviewed regularly.
Understanding current incidents will not directly provide a strategic view of enterprise objectives or illustrate how the enterprise depends on IT to achieve the objectives.
Domain
1Governance
Task Statement
22Report relevant risk and control information to applicable stakeholders to facilitate risk-based decision-making.
Knowledge Statement
1A1Organizational Strategy, Goals, and Objectives
Management wants to ensure that IT is successful in delivering against business requirements. Which of the following BEST supports that effort?
A.An internal control system or framework
B.A cost-benefit analysis
C.A return on investment analysis
D.A benchmark process
A is the correct answer.
Justification
For IT to be successful in delivering against business requirements, management should develop an internal control system that supports its business requirements.
A cost-benefit analysis, although useful, is not the most important element to align IT to business.
A return on investment analysis is just one of the metrics to measure success of IT investments.
A benchmark process is put in place once a sound internal control framework has been enabled.
Domain
1Governance
Task Statement
22Report relevant risk and control information to applicable stakeholders to facilitate risk-based decision-making.
Knowledge Statement
1A1Organizational Strategy, Goals, and Objectives
The PRIMARY consideration when selecting a risk response technique is:
A.coverage of all identified risk.
B.availability of resources.
C.enterprise goals and objectives.
D.standards and industry good practices.
C is the correct answer.
Justification
The primary consideration is to address mission-critical risk, not necessarily all identified risk.
For risk threatening enterprise goals, availability of resources is not a primary consideration.
The risk response will be based primarily on goals and objectives of the enterprise. Risk can harm these goals and must be mitigated according to priority.
Standards and good practices will be followed while preparing a plan after the desired mitigation technique is selected.
Domain
1Governance
Task Statement
12Facilitate the selection of recommended risk responses by key stakeholders.
Knowledge Statement
1A1Organizational Strategy, Goals, and Objectives
The PRIMARY reason for developing an enterprise security architecture is to:
A.align security strategies among the functional areas of an enterprise and external entities.
B.build a barrier between the IT systems of an enterprise and the outside world.
C.foster understanding of the enterprise’s technologies and their interactions.
D.protect the enterprise from external threats and monitor the corporate network proactively.
A is the correct answer.
Justification
The enterprise security architecture must align strategies and objectives of diverse functional areas within the enterprise, optimize the flow of information within an enterprise, and support all required communication with external partners, customers and suppliers.
Building a barrier between the IT systems of an enterprise and the outside world without considering business objectives may interfere with valid business processes.
Enterprise security architecture should not only inventory all the technologies that exist in the enterprise but also document their interactions and interdependencies in relation to business objectives. The enterprise security architecture should further document interactions with, and dependencies on, external processes, suppliers, partners and customers as they relate to business goals.
An enterprise security architecture does not protect the enterprise from threats or monitor threats; it establishes a blueprint that includes the internal and external controls needed to protect the enterprise.
Domain
1Governance
Task Statement
24Evaluate alignment of business practices with risk management and information security frameworks and standards.
Knowledge Statement
1A1Organizational Strategy, Goals, and Objectives
Commitment and support of senior management for information security investment can BEST be accomplished by a business case that:
A.explains the technical risk to the enterprise.
B.includes industry good practices as they relate to information security.
C.details successful attacks against a competitor.
D.ties security risk to enterprise business objectives.
D is the correct answer.
Justification
Senior management will not likely be interested in technical risk unless it is related specifically to business environment and objectives.
Industry good practices are important to senior management; however, the practices must be related to key business objectives in order for senior management to understand their full significance.
Senior management will not be as interested in examples of successful attacks against a competitor if they are not tied to the impact on business environment and objectives.
Senior management seeks to understand the business justification for investing in security. This can best be accomplished by tying security to key business objectives.
Domain
1Governance
Task Statement
22Report relevant risk and control information to applicable stakeholders to facilitate risk-based decision-making.
Knowledge Statement
1A1Organizational Strategy, Goals, and Objectives
Which of the following risk assessment outputs is MOST suitable to help justify an enterprise information security program?
A.An inventory of risk that may impact the enterprise
B.Documented threats to the enterprise
C.Evaluation of the consequences
D.A list of appropriate controls for addressing risk
D is the correct answer.
Justification
A risk inventory is not the best choice because it does not sufficiently cover how the risk will be addressed.
Documentation of threats is not the best choice because it does not sufficiently explain how threats may exploit vulnerabilities or how resulting risk will be reduced.
Evaluation of the consequences of a risk—in combination with the likelihood of a risk—is important for the prioritization of risk responses. However, it is not the best choice because it does not represent controls that will reduce the risk.
A list of information security controls corresponding to risk scenarios identified during risk assessment is one of the primary deliverables of the risk assessment exercise. The list demonstrates due consideration of risk and applicable controls to address the risk and therefore helps justify a program predicated on risk mitigation.
Domain
1Governance
Task Statement
21Conduct aggregation, analysis, and validation of risk and control data.
Knowledge Statement
1A1Organizational Strategy, Goals, and Objectives
