Governance and Management of IT
Which of the following should be included in an organization's information security policy? A. A list of key IT resources to be secured B. The basis for access control authorization C. Identity of sensitive security assets D. Relevant software security features
B. The basis for access control authorization A. This is more detail than should be included in a policy. B. The security policy provides the broad framework of security as laid down and approved by senior management. It includes a definition of those authorized to grant access and the basis for granting the access. C. The identity of sensitive security assets is more detailed than that which should be included in a policy. D. A list of the relevant software security features is more detailed than that which should be included in a policy.
IT governance is PRIMARILY the responsibility of the: A. chief executive officer. B. board of directors. C. IT steering committee. D. audit committee.
B. board of directors. A. This role is instrumental in implementing IT governance according to the directions of the board of directors. B. IT governance is primarily the responsibility of the executives and shareholders (as represented by the board of directors). C. This group monitors and facilitates deployment of IT resources for specific projects in support of business plans. The IT steering committee enforces governance on behalf of the board of directors. D. This group reports to the board of directors and executes governance-related audits. The audit committee should monitor the implementation of audit recommendations.
While reviewing a quality management system, the IS auditor should PRIMARILY focus on collecting evidence to show that: A. quality management systems comply with good practices. B. continuous improvement targets are being monitored. C. standard operating procedures of IT are updated annually. D. key performance indicators are defined.
B. continuous improvement targets are being monitored. A. Generally, good practices are adopted according to business requirements. Therefore, conforming to good practices may or may not be a requirement of the business. B. Continuous and measurable improvement of quality is the primary requirement to achieve the business objective for the quality management system (QMS). C. Updating operating procedures is part of implementing the QMS; however, it must be part of change management and not an annual activity. D. Key performance indicators may be defined in a QMS, but they are of little value if they are not being monitored.
The MOST likely effect of the lack of senior management commitment to IT strategic planning is: a lack of investment in technology. a lack of a methodology for systems development. technology not aligning with organization objectives. an absence of control over technology contracts.
technology not aligning with organization objectives. Lack of management commitment will almost certainly affect investment, but the primary loss will be the lack of alignment of IT strategy with the strategy of the business. Systems development methodology is a process-related function and not a key concern of management. A steering committee should exist to ensure that the IT strategies support the organization's goals. The absence of an information technology committee or a committee not composed of senior managers is an indication of a lack of top-level management commitment. This condition increases the risk that IT is not aligned with organization strategy. Approval for contracts is a business process and would be controlled through financial process controls. This is not applicable here.
An enterprise's risk appetite is BEST established by: the chief legal officer. security management. the audit committee. the steering committee.
the steering committee.
After an organization completed a threat and vulnerability analysis as part of a risk assessment, the final report suggested that an intrusion prevention system (IPS) should be installed at the main Internet gateways and that all business units should be separated via a proxy firewall. Which of the following is the BEST method to determine whether the controls should be implemented? A cost-benefit analysis An annual loss expectancy calculation A comparison of the cost of the IPS and firewall and the cost of the business systems A business impact analysis
A cost-benefit analysis In a cost-benefit analysis, the total expected purchase and operational/support costs, and a qualitative value for all actions are weighted against the total expected benefits to choose the best technical, most profitable, least expensive or acceptable risk option. The annual loss expectancy is the expected monetary loss that is estimated for an asset over a one-year period. It is a useful calculation that should be included in determining the necessity of controls but is not sufficient alone. The cost of the hardware assets should be compared to the total value of the information that the asset protects, including the cost of the systems where the data reside and across which data are transmitted. Potential business impact is only one part of the cost-benefit analysis.
Regarding the outsourcing of IT services, which of the following conditions should be of GREATEST concern to an IS auditor? A. Core activities that provide a differentiated advantage to the organization have been outsourced. B. Periodic renegotiation is not specified in the outsourcing contract. C. The outsourcing contract fails to cover every action required by the business. D. Similar activities are outsourced to more than one vendor.
A. Core activities that provide a differentiated advantage to the organization have been outsourced. A. An organization's core activities generally should not be outsourced because they are what the organization does best; an IS auditor observing that condition should be concerned. B. An IS auditor should not be concerned about periodic renegotiation in the outsourcing contract because that is dependent on the term of the contract. C. Outsourcing contracts cannot be expected to cover every action and detail expected of the parties involved but should cover business requirements. D. Multisourcing is an acceptable way to reduce risk associated with a single point of failure.
A financial services enterprise has a small IT department, and individuals perform more than one role. Which of the following practices represents the GREATEST risk? A. The developers promote code into the production environment. B. The business analyst writes the requirements and performs functional testing. C. The IT manager also performs systems administration. D. The database administrator (DBA) also performs data backups.
A. The developers promote code into the production environment. A. If developers have access to the production environment, there is a risk that untested code can be migrated into the production environment. B. In situations in which there is no dedicated testing group, the business analyst is often the one to perform testing because the analyst has detailed knowledge of how the system must function as a result of writing the requirements. C. It is acceptable in a small team for the IT manager to perform system administration, as long as the manager does not also develop code. D. It may be part of the database administrator's duties to perform data backups.
During a feasibility study regarding outsourcing IT processing, the relevance for the IS auditor of reviewing the vendor's business continuity plan is to: A. evaluate the adequacy of the service levels that the vendor can provide in a contingency. B. evaluate the financial stability of the service bureau and its ability to fulfill the contract. C. review the experience of the vendor's staff. D. test the business continuity plan.
A. evaluate the adequacy of the service levels that the vendor can provide in a contingency. A. A key factor in a successful outsourcing environment is the capability of the vendor to face a contingency and continue to support the organization's processing requirements. B. Financial stability is not related to the vendor's business continuity plan (BCP). C. Experience of the vendor's staff is not related to the vendor's BCP. D. The review of the vendor's BCP during a feasibility study is not a way to test the vendor's BCP.
Which of the following should be of GREATEST concern to an IS auditor when reviewing an information security policy? The policy: A. is driven by an IT department's objectives. B. is published, but users are not required to read the policy. C. does not include information security procedures. D. has not been updated in over a year.
A. is driven by an IT department's objectives. A. Business objectives drive the information security policy, and the information security policy drives the selection of IT department objectives. A policy driven by IT objectives is at risk of not being aligned with business goals. B. Policies should be written so that users can understand each policy, and employees should be able to easily access the policies. The fact that users have not read the policy is not the greatest concern because they still may be compliant with the policy. C. Policies should not contain procedures. Procedures are established to assist with policy implementation and compliance. D. Policies should be reviewed annually, but they might not necessarily be updated annually unless there are significant changes in the environment such as new laws, rules or regulations.
The PRIMARY objective of implementing corporate governance is to: A. provide strategic direction. B. control business operations. C. align IT with business. D. implement good practices.
A. provide strategic direction. A. Corporate governance is a set of management practices to provide strategic direction to the organization as a whole, thereby ensuring that goals are achievable, risk is properly addressed and organizational resources are properly used. Hence, the primary objective of corporate governance is to provide strategic direction. B. Business operations are directed and controlled based on the strategic direction. C. Corporate governance applies strategic planning, monitoring and accountability to the entire organization, not just to IT. D. Governance is applied through the use of good practices, but this is not the objective of corporate governance.
While conducting an audit of a service provider, an IS auditor observes that the service provider has outsourced a part of the work to another provider. Because the work involves confidential information, the IS auditor's PRIMARY concern should be that the: A. requirement for protecting confidentiality of information can be compromised. B. contract may be terminated because prior permission from the outsourcer was not obtained. C. other service provider to whom work has been outsourced is not subject to audit. D. outsourcer will approach the other service provider directly for further work.
A. requirement for protecting confidentiality of information can be compromised. A. Many countries have enacted regulations to protect the confidentiality of information maintained in their countries and/or exchanged with other countries. When a service provider outsources part of its services to another service provider, there is a potential risk that the confidentiality of the information will be compromised. B. Terminating the contract for a violation of the terms of the contract could be a concern but is not related to ensuring the security of information. C. The outsourcer not being subject to an audit could be a concern but is not related to ensuring the security of information. D. There is no reason why an IS auditor should be concerned with the outsourcer approaching the other service providers directly for further work.
In reviewing the IT short-range (tactical) plan, an IS auditor should determine whether: A. there is an integration of IT and business personnel within projects. B. there is a clear definition of the IT mission and vision. C. a strategic information technology planning scorecard is in place. D. the plan correlates business objectives to IT goals and objectives.
A. there is an integration of IT and business personnel within projects. A. The integration of IT and business personnel in projects is an operational issue and should be considered while reviewing the short-range plan. A strategic plan provides a framework for the IT short-range plan. B. A clear definition of the IT mission and vision would be covered by a strategic plan. C. A strategic information technology planning scorecard would be covered by a strategic plan. D. Business objectives correlating to IT goals and objectives would be covered by a strategic plan.
Which of the following is the BEST reference for an IS auditor to determine a vendor's ability to meet service level agreement (SLA) requirements for a critical IT security service? Compliance with the master agreement Agreed-on key performance metrics Results of business continuity tests Results of independent audit reports
Agreed-on key performance metrics The master contract typically includes terms, conditions and costs but does not typically include service levels. Key performance indicators are metrics that allow for a means to measure performance. Service level agreements (SLAs) are statements related to expected service levels. For example, an Internet service provider (ISP) may guarantee that their service will be available 99.99 percent of the time. If applicable to the service, results of business continuity tests are typically included as part of the due diligence review. Independent audits report on the financial condition of an organization or the control environment. Reviewing audit reports is typically part of the due diligence review. Even audits must be performed against a set of standards or metrics to validate compliance.
Which of the following goals do you expect to find in an organization's strategic plan? Results of new software testing An evaluation of information technology needs Short-term project plans for a new planning system Approved suppliers for products offered by the company
Approved suppliers for products offered by the company Results of a new accounting package is a tactical or short-term goal and would not be included in a strategic plan. This is a way to measure performance, but not a goal to be found in a strategic plan. Short-term project plans is project-oriented and is a method of implementing a goal but not the goal in itself. The goal would be to have better project management—the new system is how to achieve that goal. Approved suppliers of choice for the product is a strategic business objective that is intended to focus the overall direction of the business and, thus, is a part of the organization's strategic plan.
An enterprise hosts its data center onsite and has outsourced the management of its key financial applications to a service provider. Which of the following controls BEST ensures that the service provider's employees adhere to the security policies? A. Sign-off is required on the enterprise's security policies for all users. B. An indemnity clause is included in the contract with the service provider. C. Mandatory security awareness training is implemented for all users. D. Security policies should be modified to address compliance by third-party users.
B. An indemnity clause is included in the contract with the service provider. A. Having users sign off on policies is a good practice; however, this only puts the onus of compliance on the individual user, not on the organization. B. Having the service provider sign an indemnity clause will ensure compliance to the enterprise's security policies, because any violations discovered will lead to a financial liability for the service provider. This will also prompt the enterprise to monitor security violations closely. C. Awareness training is an excellent control but will not ensure that the service provider's employees adhere to policy. D. Modification of security policy does not ensure compliance by users unless the policies are appropriately communicated to users and enforced, and awareness training is provided.
Which of the following is the initial step in creating a firewall policy? A. A cost-benefit analysis of methods for securing the applications B. Identification of network applications to be externally accessed C. Identification of vulnerabilities associated with network applications to be externally accessed D. Creation of an application traffic matrix showing protection methods
B. Identification of network applications to be externally accessed A. Identifying methods to protect against identified vulnerabilities and their comparative cost-benefit analysis is the third step. B. Identification of the applications required across the network should be the initial step. After identification, depending on the physical location of these applications in the network and the network model, the person in charge will be able to understand the need for, and possible methods of, controlling access to these applications. C. Having identified the externally accessed applications, the second step is to identify vulnerabilities (weaknesses) associated with the network applications. D. The fourth step is to analyze the application traffic and create a matrix showing how each type of traffic will be protected.
Which of the following is the MOST important element for the successful implementation of IT governance? A. Implementing an IT scorecard B. Identifying organizational strategies C. Performing a risk assessment D. Creating a formal security policy
B. Identifying organizational strategies A. A scorecard is an excellent tool to implement a program based on good governance, but the most important factor in implementing governance is alignment with organizational strategies. B. The key objective of an IT governance program is to support the business; therefore, the identification of organizational strategies is necessary to ensure alignment between IT and corporate governance. Without identification of organizational strategies, the remaining choices—even if implemented—would be ineffective. C. A risk assessment is important to ensure that the security program is based on areas of highest risk, but risk assessment must be based on organizational strategies. D. A policy is a key part of security program implementation, but even the policy must be based on organizational strategies.
Question When auditing the IT governance framework and IT risk management practices that exist within an organization, the IS auditor identified some undefined responsibilities regarding IT management and governance roles. Which of the following recommendations is the MOST appropriate? A. Review the strategic alignment of IT with the business. B. Implement accountability rules within the organization. C. Ensure that independent IS audits are conducted periodically. D. Create a chief risk officer role in the organization.
B. Implement accountability rules within the organization. A. While the strategic alignment of IT with the business is important, it is not directly related to the gap identified in this scenario. B. IT risk is managed by embedding accountability into the enterprise. The IS auditor should recommend the implementation of accountability rules to ensure that all responsibilities are defined within the organization. Note that this question asks for the best recommendation—not about the finding itself. C. Performing more frequent IS audits is not helpful if the accountability rules are not clearly defined and implemented. D. Recommending the creation of a new role (e.g., chief risk officer) is not helpful if the accountability rules are not clearly defined and implemented.
Which of the following should an IS auditor recommend to BEST enforce alignment of an IT project portfolio with strategic organizational priorities? A. Define a balanced scorecard for measuring performance. B. Consider user satisfaction in the key performance indicators. C. Select projects according to business benefits and risk. D. Modify the yearly process of defining the project portfolio.
C. Select projects according to business benefits and risk. A. Measures such as a balanced scorecard are helpful, but do not guarantee that the projects are aligned with business strategy. B. Key performance indicators are helpful to monitor and measure IT performance, but they do not guarantee that the projects are aligned with business strategy. C. Prioritization of projects on the basis of their expected benefit(s) to business, and the related risk, is the best measure for achieving alignment of the project portfolio to an organization's strategic priorities. D. This definition might improve the situation, but only if the portfolio definition process is closely tied to organizational strategies.
An IS auditor is assigned to review IT structures and activities recently outsourced to various providers. Which of the following should the IS auditor determine FIRST? A. An audit clause is present in all contracts. B. The service level agreement of each contract is substantiated by appropriate key performance indicators. C. The contractual warranties of the providers support the business needs of the organization. D. At contract termination, support is guaranteed by each outsourcer for new outsourcers.
C. The contractual warranties of the providers support the business needs of the organization. A. All other choices are important, but the first step is to ensure that the contracts support the business— only then can an audit process be valuable. B. All service level agreements should be measurable and reinforced through key performance indicators—but the first step is to ensure that the SLAs are aligned with business requirements. C. The primary requirement is for the services provided by the outsource supplier to meet the needs of the business. D. Having appropriate controls in place for contract termination are important, but first the IS auditor must be focused on the requirement of the supplier to meet business needs.
To aid management in achieving IT and business alignment, an IS auditor should recommend the use of: A. control self-assessments. B. a business impact analysis. C. an IT balanced scorecard. D. business process reengineering.
C. an IT balanced scorecard. A. These are used to improve monitoring of security controls but are not used to align IT with organizational objectives. B. This is used to calculate the impact on the business in the event of an incident that affects business operations, but it is not used to align IT with organizational objectives. C. This provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the ability to innovate. D. This is an excellent tool to review and improve business processes but is not focused on aligning IT with organizational objectives.
An IS auditor reviewing an outsourcing contract of IT facilities expects it to define the: A. hardware configuration. B. access control software. C. ownership of intellectual property. D. application development methodology.
C. ownership of intellectual property. A. The hardware configuration is generally irrelevant as long as the functionality, availability and security can be affected, which are specific contractual obligations. B. The access control software is generally irrelevant as long as the functionality, availability and security can be affected, which are specific contractual obligations. C. The contract must specify who owns the intellectual property (i.e., information being processed and application programs). Ownership of intellectual property is a significant cost and is a key aspect to be defined in an outsourcing contract. D. The development methodology should be of no real concern in an outsourcing contract.
An IS auditor reviews an organizational chart PRIMARILY for: A. an understanding of the complexity of the organizational structure. B. investigating various communication channels. C. understanding the responsibilities and authority of individuals. D. investigating the network connected to different employees.
C. understanding the responsibilities and authority of individuals. A. This is not the primary reason to review an organizational chart because the chart will not necessarily depict the complexity. B. The organizational chart is a key tool for an auditor to understand roles and responsibilities and reporting lines but is not used for examining communications channels. C. An organizational chart provides information about the responsibilities and authority of individuals in the organization. This helps an IS auditor to know if there is a proper segregation of functions. D. A network diagram will provide information about the usage of various communication channels and will indicate the connection of users to the network.
Question An organization is considering making a major investment in upgrading technology. Which of the following choices is the MOST important to consider? A. A cost analysis B. The security risk of the current technology C. Compatibility with existing systems D. A risk analysis
D. A risk analysis A. The information system solution should be cost-effective, but this is not the most important aspect. B. This is one of the components of the risk analysis, and alone is not the most important factor. C. This is one consideration; however, the new system may be a major upgrade that is not compatible with existing systems, so this is not the most important consideration. D. Prior to implementing new technology, an organization should perform a risk analysis, which is then presented to business unit management for review and acceptance.
A small organization has only one database administrator (DBA) and one system administrator. The DBA has root access to the UNIX server, which hosts the database application. How should segregation of duties be enforced in this scenario? A. Hire a second DBA and split the duties between the two individuals. B. Remove the DBA's root access on all UNIX servers. C. Ensure that all actions of the DBA are logged and that all logs are backed up to tape. D. Ensure that database logs are forwarded to a UNIX server where the DBA does not have root access.
D. Ensure that database logs are forwarded to a UNIX server where the DBA does not have root access. A. Hiring additional staff is a costly way to ensure segregation of duties. B. DBA needs root access to the database servers to install upgrades or patches. C. The administrator can modify or erase logs prior to the tape backup event. D. By creating logs that the DBA cannot erase or modify, segregation of duties is enforced.
During an audit, the IS auditor discovers that the human resources (HR) department uses a cloud-based application to manage employee records. The HR department engaged in a contract outside of the normal vendor management process and manages the application on its own. Which of the following is of GREATEST concern? A. Maximum acceptable downtime metrics have not been defined in the contract. B. The IT department does not manage the relationship with the cloud vendor. C. The help desk call center is in a different country, with different privacy requirements. D. Organization-defined security policies are not applied to the cloud application.
D. Organization-defined security policies are not applied to the cloud application. A. Maximum acceptable downtime is a good metric to have in the contract to ensure application availability; however, human resources (HR) applications are usually not mission-critical, and therefore, maximum acceptable downtime is not the most significant concern in this scenario. B. The responsibility for managing the relationship with a third party should be assigned to a designated individual or service management team; however, it is not essential that the individual or team belong to the IT department. C. An organization-defined security policy ensures that help desk personnel do not have access to personnel data, and this is covered under the security policy. The more critical issue is that the application complied with the security policy. D. Cloud applications should adhere to the organization-defined security policies to ensure that the data in the cloud are protected in a manner consistent with internal applications. These include, but are not limited to, the password policy, user access management policy and data classification policy.
Which of the following does a lack of adequate security controls represent? A. Threat B. Asset C. Impact D. Vulnerability
D. Vulnerability A. A threat is anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm. A threat exists regardless of controls or a lack of controls. B. An asset is something of either tangible or intangible value that is worth protecting, including people, information, infrastructure, finances and reputation. The asset value is not affected by a lack of controls. C. Impact represents the outcome or result of a threat exploiting a vulnerability. A lack of controls would lead to a higher impact, but the lack of controls is defined as a vulnerability, not an impact. D. The lack of adequate security controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers. This can result in a loss of sensitive information and lead to the loss of goodwill for the organization. A succinct definition of risk is provided by the Guidelines for the Management of IT Security published by the International Organization for Standardization (ISO), which defines risk as the "potential that a given threat will exploit the vulnerability of an asset or group of assets to cause loss or damage to the assets." The various elements of the definition are vulnerability, threat, asset and impact. Lack of adequate security functionality in this context is a vulnerability.
The MOST important point of consideration for an IS auditor while reviewing an enterprise's project portfolio is that it: A. does not exceed the existing IT budget. B. is aligned with the investment strategy. C. has been approved by the IT steering committee. D. is aligned with the business plan.
D. is aligned with the business plan. A. It should be identified if the project portfolio exceeds the IT budget, but it is not as critical as ensuring that it is aligned with the business plan. B. The project portfolio should be aligned with the investment strategy, but it is most important that it is aligned with the business plan. C. Appropriate approval of the project portfolio should be granted. However, not every enterprise has an IT steering committee, and this is not as critical as ensuring that the projects are aligned with the business plan. D. Portfolio management takes a holistic view of an enterprise's overall IT strategy, which, in turn, should be aligned with the business strategy. A business plan provides the justification for each of the projects in the project portfolio, and that is the major consideration for an IS auditor.
When developing a security architecture, which of the following steps should be executed FIRST? Developing security procedures Defining a security policy Specifying an access control methodology Defining roles and responsibilities
Defining a security policy Policy is used to provide direction for procedures, standards and baselines. Therefore, developing security procedures should be executed only after defining a security policy. Defining a security policy for information and related technology is the first step toward building a security architecture. A security policy communicates a coherent security standard to users, management and technical staff. Security policies often set the stage in terms of the tools and procedures that are needed for an organization. This is an implementation concern and should be executed only after defining a security policy. This should be executed only after defining a security policy.
Errors in audit procedures PRIMARILY impact which of the following risk types? Detection risk Inherent risk Control risk Business risk
Detection risk This is the probability that the audit procedures may fail to detect existence of a material error or fraud. This refers to the risk involved in the nature of business or transaction and is not affected by human error. This is the risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal controls. This is not a component of audit risk.
Which of the following factors is MOST critical when evaluating the effectiveness of an IT governance implementation? Ensure that assurance objectives are defined. Determine stakeholder requirements and involvement. Identify relevant risk and related opportunities. Determine relevant enablers and their applicability.
Determine stakeholder requirements and involvement. Stakeholders' needs and their involvement form the basis for scoping the IT governance implementation. This will be used to define assurance objectives. The most critical factor to be considered in auditing an IT governance implementation is to determine stakeholder requirements and involvement. This drives the success of the project. Based on this, the assurance scope and objectives are determined. The relevant risk and related opportunities are identified and driven by the assurance objectives. The relevant enablers and their applicability for the IT governance implementation are considered based on assurance objectives.
During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization's operational risk documentation only contains a few broadly described types of IT risk. What is the MOST appropriate recommendation in this situation? A. Create an IT risk management department and establish an IT risk framework with the aid of external risk management experts. B. Use common industry standard aids to divide the existing risk documentation into several individual types of risk which will be easier to handle. C. No recommendation is necessary because the current approach is appropriate for a medium-sized organization. D. Establish regular IT risk management meetings to identify and assess risk and create a mitigation plan as input to the organization's risk management.
Establish regular IT risk management meetings to identify and assess risk and create a mitigation plan as input to the organization's risk management. A. A medium-sized organization would normally not have a separate IT risk management department. Moreover, the risk is usually manageable enough so that external help would not be needed. B. While common risk may be covered by industry standards, they cannot address the specific situation of an organization. Individual types of risk will not be discovered without a detailed assessment from within the organization. Splitting the one risk position into several is not sufficient to manage IT risk. C. The auditor should recommend a formal IT risk management effort because the failure to demonstrate responsible IT risk management may be a liability for the organization. D. Establishing regular IT risk management meetings is the best way to identify and assess IT-related risk in a medium-sized organization, to address responsibilities to the respective management and to keep the risk register and mitigation plans up to date.
Which of the following BEST supports the prioritization of new IT projects? Internal control self-assessment Information systems audit Investment portfolio analysis Business risk assessment
Investment portfolio analysis This may highlight noncompliance to the current policy but may not necessarily be the best source for driving the prioritization of IT projects. Like internal CSA, IS audits are mostly a detective control and may provide only part of the picture for the prioritization of IT projects. It is most desirable to conduct an investment portfolio analysis, which will present not only a clear focus on investment strategy but also provide the rationale for terminating nonperforming IT projects. This is part of the investment portfolio analysis but, by itself, is not the best method for prioritizing new IT projects.
An IS auditor is performing a review of an organization's governance model. Which of the following should be of MOST concern to the auditor? The information security policy is not periodically reviewed by senior management. A policy ensuring systems are patched in a timely manner does not exist. The audit committee did not review the organization's global mission statement. An organizational policy related to information asset protection does not exist.
The information security policy is not periodically reviewed by senior management. Data security policies should be reviewed/refreshed once every year to reflect changes in the organization's environment. Policies are fundamental to the organization's governance structure, and, therefore, this is the greatest concern. While it is a concern that there is no policy related to system patching, the greater concern is that the information security policy is not reviewed periodically by senior management. Mission statements tend to be long term because they are strategic in nature and are established by the board of directors and management. This is not the IS auditor's greatest concern because proper governance oversight could lead to meeting the objectives of the organization's mission statement. While it is a concern that there is no policy related to the protection of information assets, the greater concern is that the security policy is not reviewed periodically by senior management because top level support is fundamental to information security governance.
Which of the following choices is the PRIMARY benefit of requiring a steering committee to oversee IT investment? To conduct a feasibility study to demonstrate IT value To ensure that investments are made according to business requirements To ensure that proper security controls are enforced To ensure that a standard development methodology is implemented
To ensure that investments are made according to business requirements A steering committee may use a feasibility study in its reviews; however, it is not responsible for performing/conducting the study. A steering committee consists of representatives from the business and IT and ensures that IT investment is based on business objectives rather than on IT priorities. The steering committee is not responsible for enforcing security controls. The steering committee is not responsible for implementing development methodologies.
Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems? User management coordination does not exist. Specific user accountability cannot be established. Unauthorized users may have access to modify data. Audit recommendations may not be implemented.
Unauthorized users may have access to modify data.
The initial step in establishing an information security program is the: development and implementation of an information security standards manual. performance of a comprehensive security control review by the IS auditor. adoption of a corporate information security policy statement. purchase of security access control software.
adoption of a corporate information security policy statement. The security program is driven by policy and the standards are driven by the program. The initial step is to have a policy and ensure that the program is based on the policy. Audit and monitoring of controls related to the program can only come after the program is set up. A policy statement reflects the intent and support provided by executive management for proper security and establishes a starting point for developing the security program. Access control software is an important security control but only after the policy and program are defined.
When reviewing an organization's strategic IT plan, an IS auditor should expect to find: an assessment of the fit of the organization's application portfolio with business objectives. actions to reduce hardware procurement cost. a listing of approved suppliers of IT contract resources. a description of the technical architecture for the organization's network perimeter security.
an assessment of the fit of the organization's application portfolio with business objectives. An assessment of how well an organization's application portfolio supports the organization's business objectives is a key component of the overall IT strategic planning process. This assessment drives the demand side of IT planning and should convert into a set of strategic IT intentions. Further assessment can then be made of how well the overall IT organization, encompassing applications, infrastructure, services, management processes, etc. can support the business objectives. The purpose of an IT strategic plan is to set out how IT will be used to achieve or support an organization's business objectives. Operational efficiency initiatives, including cost reduction of purchasing and maintenance activities of systems, belong to tactical planning, not strategic planning. This is a tactical rather than a strategic concern. An IT strategic plan would not normally include detail of a specific technical architecture.
Responsibility for the governance of IT should rest with the: IT strategy committee. chief information officer. audit committee. board of directors.
board of directors. This group plays a significant role in the successful implementation of IT governance within an organization, but the ultimate responsibility resides with the board of directors. This individual plays a significant role in the successful implementation of IT governance within an organization, but the ultimate responsibility resides with the board of directors. This group plays a significant role in monitoring and overseeing the successful implementation of IT governance within an organization, but the ultimate responsibility resides with the board of directors. Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risk is managed appropriately and verifying that the enterprise's resources are used responsibly.
IS control objectives are useful to IS auditors because they provide the basis for understanding the: desired result or purpose of implementing specific control procedures. best IS security control practices relevant to a specific entity. techniques for securing information. security policy.
desired result or purpose of implementing specific control procedures. An IS control objective is defined as the statement of the desired result or purpose to be achieved by implementing control procedures in a particular IS activity. Control objectives provide the actual objectives for implementing controls and may or may not be based on good practices. Techniques are the means of achieving an objective, but it is more important to know the reason and objective for the control than to understand the technique itself. This mandates the use of IS controls, but the controls are not used to understand policy.
The PRIMARY benefit of implementing a security program as part of a security governance framework is the: alignment of the IT activities with IS audit recommendations. enforcement of the management of security risk. implementation of the chief information security officer's recommendations. reduction of the cost for IT security.
enforcement of the management of security risk. Recommendations, visions and objectives of the IS auditor are usually addressed within a security program, but they would not be the major benefit. The major benefit of implementing a security program is management's assessment of risk and its mitigation to an appropriate level, and monitoring of the residual risk. Recommendations, visions and objectives of the chief information security officer are usually included within a security program, but they would not be the major benefit. The cost of IT security may or may not be reduced.
Question A decision support system is used to help high-level management: solve highly structured problems. combine the use of decision models with predetermined criteria. make decisions based on data analysis and interactive models. support only structured decision-making tasks.
make decisions based on data analysis and interactive models. A DSS is aimed at solving less structured problems. A DSS combines the use of models and analytic techniques with traditional data access and retrieval functions but is not limited by predetermined criteria. A decision support system (DSS) emphasizes flexibility in the decision-making approach of management through data analysis and the use of interactive models, not fixed criteria. A DSS supports semistructured decision-making tasks.
As a driver of IT governance, transparency of IT's cost, value and risk is primarily achieved through: performance measurement. strategic alignment. value delivery. resource management.
performance measurement. This includes setting and monitoring measurable objectives of that which the IT processes need to deliver (process outcome), and how they deliver it (process capability and performance). Transparency is primarily achieved through performance measurement, because it provides information to the stakeholders on how well the enterprise is performing when compared to objectives. This primarily focuses on ensuring linkage of business and IT plans, not on transparency. This is about executing the value proposition throughout the delivery cycle. Value delivery ensures that IT investments deliver on promised values but does not ensure transparency of investment. This is about the optimal investment in and proper management of critical IT resources but does not ensure transparency of IT investments.
An IS auditor is performing a review of the software quality management process in an organization. The FIRST step should be to: verify how the organization complies with the standards. identify and report the existing controls. review the metrics for quality evaluation. request all standards adopted by the organization.
request all standards adopted by the organization. The auditor needs to know what standards the organization has adopted and then measure compliance with those standards. Determining how the organization follows the standards is secondary to knowing what the standards are. The other items listed—verifying how well standards are being followed, identifying relevant controls and reviewing the quality metrics—are secondary to the identification of standards. The first step is to know the standards and what policies and procedures are mandated for the organization, then to document the controls and measure compliance. The metrics cannot be reviewed until the auditor has a copy of the standards that describe or require the metrics. Because an audit measures compliance with the standards of the organization, the first step of the review of the software quality management process should be to determine the evaluation criteria in the form of standards adopted by the organization. The evaluation of how well the organization follows their own standards cannot be performed until the IS auditor has determined what standards exist.
The output of the risk management process is an input for making: business plans. audit charters. security policy decisions. software design decisions.
security policy decisions. Making a business plan is not the ultimate goal of the risk management process. Risk management can help create the audit plan, but not the audit charter. The risk management process is about making specific, security-related decisions, such as the level of acceptable risk. Risk management will drive the design of security controls in software but influencing security policy is more important.
In a review of the human resources policies and procedures within an organization, an IS auditor is MOST concerned with the absence of a: requirement for periodic job rotations. process for formalized exit interviews. termination checklist. requirement for new employees to sign a nondisclosure agreement.
termination checklist. Job rotation is a valuable control to ensure continuity of operations, but not the most serious human resources policy risk. Holding an exit interview is desirable when possible to gain feedback but is not a serious risk. A termination checklist is critical to ensure the logical and physical security of an enterprise. In addition to preventing the loss of enterprise property that was issued to the employee, there is the risk of unauthorized access, intellectual property theft and even sabotage by a disgruntled former employee. Signing a NDA is a recommended human resources practice, but a lack of an NDA is not the most serious risk listed.
A poor choice of passwords and unencrypted data transmissions over unprotected communications lines are examples of: vulnerabilities. threats. probabilities. impacts.
vulnerabilities. These represent weaknesses of information resources that may be exploited by a threat. Because these are weaknesses that can be addressed by the security specialist, they are examples of vulnerabilities. Threats are circumstances or events with the potential to cause harm to information resources. Threats are usually outside the control of the security specialist. These represent the likelihood of the occurrence of a threat. These represent the outcome or result of a threat exploiting a vulnerability.