2A - IT Governance
After an organization completed a threat and vulnerability analysis as part of a risk assessment, the final report suggested that an intrusion prevention system (IPS) should be installed at the main Internet gateways and that all business units should be separated via a proxy firewall. Which of the following is the BEST method to determine whether the controls should be implemented? A cost-benefit analysis An annual loss expectancy calculation A comparison of the cost of the IPS and firewall and the cost of the business systems A business impact analysis
A cost-benefit analysis
Which of the following is MOST critical for the successful implementation and maintenance of a security policy? Assimilation of the framework and intent of a written security policy by all appropriate parties Management support and approval for the implementation and maintenance of a security policy Enforcement of security rules by providing punitive actions for any violation of security rules Stringent implementation, monitoring and enforcing of rules by the security officer through access control software
Assimilation of the framework and intent of a written security policy by all appropriate parties is correct. This is critical to the successful implementation and maintenance of the security policy. If a policy is not assimilated into daily actions, it will not be effective.
Which of the following factors is MOST critical when evaluating the effectiveness of an IT governance implementation? Ensure that assurance objectives are defined. Determine stakeholder requirements and involvement. Identify relevant risk and related opportunities. Determine relevant enablers and their applicability.
Determine stakeholder requirements and involvement is correct. The most critical factor to be considered in auditing an IT governance implementation is to determine stakeholder requirements and involvement. This drives the success of the project. Based on this, the assurance scope and objectives are determined.
An IS auditor is evaluating a newly developed IT policy for an organization. Which of the following factors does the IS auditor consider MOST important to facilitate compliance with the policy upon its implementation? Existing IT mechanisms enabling compliance Alignment of the policy to the business strategy Current and future technology initiatives Regulatory compliance objectives defined in the policy
Existing IT mechanisms enabling compliance is correct. The organization should be able to comply with a policy when it is implemented. The most important consideration when evaluating the new policy should be the existing mechanisms in place that enable the organization and its employees to comply with the policy.
Which of the following is the BEST enabler for strategic alignment between business and IT? A maturity model Goals and metrics Control objectives A responsible, accountable, consulted and informed (RACI) chart
Goals and metrics These ensure that IT goals are set based on business goals, and they are the best enablers of strategic alignment.
Which of the following is the initial step in creating a firewall policy? A cost-benefit analysis of methods for securing the applications Identification of network applications to be externally accessed Identification of vulnerabilities associated with network applications to be externally accessed Creation of an application traffic matrix showing protection methods
Identification of network applications to be externally accessed is correct. Identification of the applications required across the network should be the initial step. After identification, depending on the physical location of these applications in the network and the network model, the person in charge will be able to understand the need for, and possible methods of, controlling access to these applications.
Which of the following is the MOST important element for the successful implementation of IT governance? Implementing an IT scorecard Identifying organizational strategies Performing a risk assessment Creating a formal security policy
Identifying organizational strategies is correct. The key objective of an IT governance program is to support the business; therefore, the identification of organizational strategies is necessary to ensure alignment between IT and corporate governance. Without identification of organizational strategies, the remaining choices—even if implemented—would be ineffective.
When auditing the IT governance framework and IT risk management practices that exist within an organization, the IS auditor identified some undefined responsibilities regarding IT management and governance roles. Which of the following recommendations is the MOST appropriate? Review the strategic alignment of IT with the business. Implement accountability rules within the organization. Ensure that independent IS audits are conducted periodically. Create a chief risk officer role in the organization.
Implement accountability rules within the organization is correct. IT risk is managed by embedding accountability into the enterprise. The IS auditor should recommend the implementation of accountability rules to ensure that all responsibilities are defined within the organization. Note that this question asks for the best recommendation—not about the finding itself.
Which of the following should be of GREATEST concern to an IS auditor when reviewing an information security policy? The policy: is driven by an IT department's objectives. is published, but users are not required to read the policy. does not include information security procedures. has not been updated in over a year.
Is driven by an IT department's objectives is correct. Business objectives drive the information security policy, and the information security policy drives the selection of IT department objectives. A policy driven by IT objectives is at risk of not being aligned with business goals.
In the context of effective information security governance, the primary objective of value delivery is to: optimize security investments in support of business objectives. implement a standard set of security practices. institute a standards-based solution. implement a continuous improvement culture
Optimize security investments in support of business objectives is correct. In the context of effective information security governance, value delivery is implemented to ensure optimization of security investments in support of business objectives.
Which of the following is MOST important to consider when reviewing the classification levels of information assets? Potential loss Financial cost Potential threats Cost of insurance
Potential loss
By evaluating application development projects against the capability maturity model (CMM), an IS auditor should be able to verify that: reliable products are guaranteed. programmers' efficiency is improved. security requirements are designed. predictable software processes are followed.
Predictable software processes are followed is correct. By evaluating the organization's development projects against the capability maturity model, an IS auditor determines whether the development organization follows a stable, predictable software development process.
The PRIMARY objective of implementing corporate governance is to: provide strategic direction. control business operations. align IT with business. implement good practices.
Provide strategic direction is correct. Corporate governance is a set of management practices to provide strategic direction to the organization as a whole, thereby ensuring that goals are achievable, risk is properly addressed and organizational resources are properly used. Hence, the primary objective of corporate governance is to provide strategic direction.
As result of profitability pressure, senior management of an enterprise decided to keep investments in information security at an inadequate level, which of the following is the BEST recommendation of an IS auditor? Use cloud providers for low-risk operations. Revise compliance enforcement processes. Request that senior management accept the risk. Postpone low-priority security procedures.
Request that senior management accept the risk is correct. Senior management determines resource allocations. Having established that the level of security is inadequate, it is imperative that senior management accept the risk resulting from their decisions.
An organization has a well-established risk management process. Which of the following risk management practices would MOST likely expose the organization to the greatest amount of compliance risk? Risk reduction Risk transfer Risk avoidance Risk mitigation
Risk transfer is correct. This typically addresses financial risk. For instance, an insurance policy is commonly used to transfer financial risk, while compliance risk continues to exist.
Which of the following should an IS auditor recommend to BEST enforce alignment of an IT project portfolio with strategic organizational priorities? Define a balanced scorecard for measuring performance. Consider user satisfaction in the key performance indicators. Select projects according to business benefits and risk. Modify the yearly process of defining the project portfolio.
Select projects according to business benefits and risk.
When reviewing the development of information security policies, the PRIMARY focus of an IS auditor should be on assuring that these policies: are aligned with globally accepted industry good practices. are approved by the board of directors and senior management. strike a balance between business and security requirements. provide direction for implementing security procedures.
Strike a balance between business and security requirements is correct. Because information security policies must be aligned with an organization's business and security objectives, this is the primary focus of the IS auditor when reviewing the development of information security policies.
After the merger of two organizations, multiple self-developed legacy applications from both organizations are to be replaced by a new common platform. Which of the following is the GREATEST risk? Project management and progress reporting is combined in a project management office that is driven by external consultants. The replacement effort consists of several independent projects without integrating the resource allocation in a portfolio management approach. The resources of each of the organizations are inefficiently allocated while they are being familiarized with the other organization's legacy systems. The new platform will force the business areas of both organizations to change their work processes, which will result in extensive training needs.
The replacement effort consists of several independent projects without integrating the resource allocation in a portfolio management approach is correct. The efforts should be consolidated to ensure alignment with the overall strategy of the postmerger organization. If resource allocation is not centralized, the separate projects are at risk of overestimating the availability of key knowledge resources for the in-house-developed legacy applications.
Which of the following is the BEST reason to implement a policy that places conditions on secondary employment for IT employees? To prevent the misuse of corporate resources To prevent conflicts of interest To prevent employee performance issues To prevent theft of IT assets
To prevent conflicts of interest
