Domain 2: Governance and Management of IT
To aid management in achieving IT and business alignment, an IS auditor should recommend the use of: Select an answer: A. control self-assessments. B. a business impact analysis (BIA). C. an IT balanced scorecard (BSC). D. business process reengineering (BPR).
2.3 You answered B. The correct answer is C. An IT BSC provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the ability to innovate. CSA, BIA and BPR are insufficient to align IT with organizational objectives.
MOST relevant to short-term planning for an IT department
Allocating resources
Which of the following does an IS auditor consider the MOST relevant to short-term planning for an IT department?
Allocating resources
An enterprise hosts its data center onsite and has outsourced the management of its key financial applications to a service provider. Which of the following controls BEST ensures that the service provider's employees adhere to the security policies?
An indemnity clause is included in the contract with the service provider.
Which of the following should be considered FIRST when implementing a risk management program?
An understanding of the organization's threat, vulnerability and risk profile
Which of the following does an IS auditor FIRST reference when performing an IS audit?
Approved policies
Which of the following is the initial step in creating a firewall policy
Identification of network applications to be externally accessed
MOST important element for the successful implementation of IT governance
Identifying organizational strategies
Which of the following is the MOST significant function of a corporate public key infrastructure and certificate authority employing X.509 digital certificates?
It binds a digital certificate and its public key to an individual subscriber's identity.
An IS auditor identifies that reports on product profitability produced by an organization's finance and marketing departments give different results. Further investigation reveals that the product definition being used by the two departments is different. What should the IS auditor recommend?
Organizational data governance practices are put in place
Which of the following stakeholders is the MOST important in terms of developing a business continuity plan?
Process owners
An organization has a well-established risk management process. Which of the following risk management practices would MOST likely expose the organization to the greatest amount of compliance risk?
Risk transfer
Which of the following inputs adds the MOST value to the strategic IT initiative decision-making process?
The IT project portfolio analysis
Which of the following situations is addressed by a software escrow agreement?
The vendor of custom-written software goes out of business.
the PRIMARY benefit of requiring a steering committee to oversee IT investment
To ensure that investments are made according to business requirements
A business unit has selected a new accounting application and did not consult with IT early in the selection process. The PRIMARY risk is that: Incorrect A. the security controls of the application may not meet requirements. B. the application may not meet the requirements of the business users. C. the application technology may be inconsistent with the enterprise architecture (EA). D. the application may create unanticipated support issues for IT.
You answered A. The correct answer is C. A. While security controls should be a requirement for any application, the primary focus of the enterprise architecture (EA) is to ensure that new applications are consistent with enterprise standards. While the use of standard supported technology may be more secure, this is not the primary benefit of the EA. B. When selecting an application, the business requirements as well as the suitability of the application for the IT environment must be considered. If the business units selected their application without IT involvement, they would be more likely to choose a solution that fit their business process the best with less emphasis on how compatible and supportable the solution would be in the enterprise, and this would not be a concern. C. The primary focus of the EA is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization. The EA defines both a current and future state in areas such as the use of standard platforms, databases or programming languages. If a business unit selected an application using a database or operating system (OS) that is not part of the EA for the business, this would increase the cost and complexity of the solution and ultimately deliver less value to the business. D. While any new software implementation may create support issues, the primary benefit of the EA is ensuring that the IT solutions deliver value to the business. Decreased support costs may be a benefit of the EA, but the lack of IT involvement in this case would not affect the support requirements.
The initial step in establishing an information security program is the: A. development and implementation of an information security standards manual. B. performance of a comprehensive security control review by the IS auditor. C. adoption of a corporate information security policy statement. D. purchase of security access control software.
You answered A. The correct answer is C. A policy statement reflects the intent and support provided by executive management for proper security and establishes a starting point for developing the security program.
An IS auditor is reviewing an IT security risk management program. Measures of security risk should
consider the entire IT environment.
A local area network (LAN) administrator normally is restricted from
having programming responsibilities.
An IT steering committee should
maintain minutes of its meetings and keep the board of directors informed
By evaluating application development projects against the capability maturity model (CMM), an IS auditor should be able to verify that
predictable software processes are followed
Establishing the level of acceptable risk is the responsibility of
senior business management
Effective IT governance requires organizational structures and processes to ensure that
the IT strategy extends the organization's strategies and objectives
An IS auditor is evaluating management's risk assessment of information systems. The IS auditor should FIRST review:
threats/vulnerabilities affecting the assets
