Design Guide Chapter 1 - 3 Flashcards

Question

APO08

Answer 1

Managed Relationships

Answer 2

Managed Service Agreements

Answer 3

Managed Vendors

Answer 4

Managed Quality

Answer 5

Managed Risks

Answer 6

Managed Security

Answer 7

Managed Data

Answer 8

Managed Programs

Answer 9

Managed Requirement Definitions

Answer 10

Managed Solution Identification and build

Answer 11

Managed Availability and Capacity

Answer 12

Managed Organization Change

Answer 13

Managed IT Changes

Answer 14

Managed IT Change Acceptance and Transitioning

Answer 15

Managed Knowledge

Answer 16

Managed Assets

Answer 17

Managed Configuration

Answer 18

Management Projects

Answer 19

Managed Operations

Answer 20

Managed Service Requests and Incidents

Answer 21

Managed Problems

Answer 22

Managed Continuity

Answer 23

Managed Security Service

Answer 24

Managed Business Process Control

Answer 25

Managed Performance and Conforming Monitoring

Answer 26

Managed System and Internal Control

Answer 27

Managed Compliance with External Requirements

Answer 28

Managed Assurance

Answer 29

Individually and collectively, contribute to the good operations of the enterprises governance system over I&T

Answer 30

resulting in a holistic governance system for I&T

Answer 31

Processes; Organizational Structures; Policies and Procedures; Information items; Culture and behavior; Skills and Competencies; and services, infrastructure, and applications.

Answer 32

the described in the COBIT Core Model; apply in any situation, but need to be customized.

Answer 33

based on generic components but tailored for a specific context or purpose within a focus area.

Answer 34

Describe a certain governance topic, domain or issue that can be addressed by a collection of governance and management objectives and their governance.

Answer 35

Small and Middle Enterprises; Cybersecurity; Digital Transformation; Cloud Computing; Privacy; DevOps.

Answer 36

Measure for how well a process is implemented and performing.

Answer 37

*Lack of any basic capability; *Incomplete approach to addressing governance and management purpose; *May or may not be meeting the intent of any process practice.

Answer 38

The process more or less achieves its purpose through the application of an incomplete set of activities that can be characterized initial or intuitive - not very organized

Answer 39

The process achieves its purpose through the application of a basic, yet complete, set of activities that can be characterized as performed.

Answer 40

The process achieves its purpose in a much more organized way using organizational assets. Processes are typically well-defined.

Answer 41

The process achieves its purpose, as well defined, and its performance is (quantitatively) measured.

Answer 42

The process achieves its purpose, is well defined, performance is measured to improve performance and continuous improvement is pursued.

Answer 43

Factors that can influence the design of an enterprise's governance system and position it for success in the use of I&T.

Answer 44

Enterprise Strategy Enterprise Goal Risk Profile I&T Related Issues Threat Landscape Compliance Requirements Role of IT Sourcing Model for IT IT implementation Methods Technology Adoption Strategy Enterprise Size

Answer 45

Enterprises can have different strategies, which can be expressed as one or more of the archetypes. Organizations typically have a primary strategy and, at most, one secondary strategy.

Answer 46

**Growth/Acquisition - The enterprise has a focus on growing revenues. **Innovation/Differentiation - The enterprise has a focus on offering different and/or innovative products and services to their clients. **Cost Leadership - The enterprise has a focus on short-term cost minimization **Client Service/Stability - The enterprise has a focus on providing a stable and client-oriented service.

Answer 47

Supporting the enterprise strategy - Enterprise strategy is realized by the achievement of (a set of) enterprise goals. These goals are defined in the COBIT framework, and structured along the balanced scorecard (BSC) dimensions: Financial Customer Internal Growth

Answer 48

EG01 - Portfolio of competitive products and services EG02 - Managed business risk EG03 - Compliance with external laws and regulations EG04 - Quality of financial information

Answer 49

EG05 - Customer-oriented service culture EG06 - Business service continuity and availability EG07 - Quality of management information

Answer 50

EG08 - Optimization of internal business process functionality EG09 - Optimization of business process costs EG10 - Staff skills, motivation and productivity EG11 - Compliance with internal policies

Answer 51

EG12 - Managed digital transformation programs EG13 - Product and business innovation

Answer 52

The enterprise and current issues in relation to I&T—The risk profile identifies the sort of IT related risk to which the enterprise is currently exposed and indicates which areas of risk are exceeding the risk appetite.

Answer 53

Risk Scenarios A. Programs selected for implementation misaligned with corporate strategy and priorities B. Failure of IT-related Investments to support digital strategy of the enterprise C. Selection of wrong software (in terms of cost, performance, features, compatibility, redundancy, etc.) for acquisition and implementation D. Selection of wrong infrastructure (in terms of cost, performance, features, compatibility, etc.) for implementation E. Duplication or important overlaps between different investment initiatives F. Long-term incompatibility between new investment programs and enterprise architecture G. Misallocation, inefficient manage

Answer 54

A. Failure of senior management to terminate failing projects (due to cost explosion, excessive delays, scope creep, and changed business priorities) B. Budget overruns for I&T projects C. Lack of quality of I&T projects D. Late delivery of I&T projects E. Failure of third-party outsourcers to deliver projects as per contractual agreements (any combination of exceeded budgets, quality problems, missing functionality, late delivery)

Answer 55

A. Extensive dependency on, and use of, user-created, user-defined, user-maintained applications and ad hoc solutions B. Excess cost and/or ineffectiveness of I&T-related purchases outside of the I&T procurement process C. Inadequate requirements leading to ineffective Service Level Agreements (SLAs) D. Lack of funds for I&T related investments

Answer 56

A. Lack or mismatch of IT-related skills within IT (e.g., due to new technologies or working methods) B. Lack of business understanding by IT staff that affects service delivery/project quality C. Inability to recruit and retain IT staff D. Recruitment of unsuitable profiles because of lack of due diligence in the recruitment process E. Lack of I&T training F. Overreliance for I&T services on key staff

Answer 57

A. Complex, inflexible enterprise architecture (EA), obstructing further evolution and expansion, and leading to missed business opportunities B. Failure to timely adopt and exploit new infrastructure or abandon obsolete infrastructure C. Failure to timely adopt and exploit new software (functionality, optimization, etc.) or to abandon obsolete applications D. Undocumented EA leading to inefficiencies and duplications E. Excessive number of exceptions on enterprise architecture standards

Answer 58

A. Accidental damaging of IT equipment B. Errors by IT staff (during backup, during upgrades of systems, during maintenance of systems, etc.) C. Incorrect information input by IT staff or system users D. Destruction of data center (sabotage, etc.) by staff E. Theft of device with sensitive data F. Theft of a key infrastructure component G. Erroneous configuration of hardware components H. Intentional tampering with hardware (security devices, etc.) I. Abuse of access rights from prior roles to access IT infrastructure J. Loss of backup media or backups not checked for effectiveness K. Loss of data by cloud provider L. Operational-service interruption by cloud providers

Answer 59

A. Tampering with software B. Intentional modification or manipulation of software leading to incorrect data C. Intentional modification or manipulation of software leading to fraudulent actions D. Unintentional modification of software leading to inaccurate results E. Unintentional configuration and change-management errors

Answer 60

A. Nonadoption of new application software by users B. Inefficient use of new software by users

Answer 61

A. System instability in wake of installing new infrastructure, leading to operational incidents (e.g., BYOD program) B. Inability of systems to handle transaction volumes when user volumes increase C. Inability of systems to handle load when new applications or initiatives are deployed D. Utilities failure (telecom, electricity) E. Hardware failure due to overheating and/or other environmental conditions like humidity F. Damaging of hardware components leading to destruction of data by internal staff G. Loss/disclosure of portable media containing sensitive data (CD, USB-drives, portable disks, etc.) H. Extended resolution time or support delays in case of hardware incidents

Answer 62

A. Inability to use the software to realize desired outcomes (e.g., failure to make required business model or organizational changes) B. Implementation of immature software (early adopters, bugs, etc.) C. Operational glitches when new software is made operational D. Regular software malfunctioning of critical application software E. Obsolete application software (outdated, poorly documented, expensive to maintain, difficult to extend, not integrated in current architecture, etc.) F. Inability to revert back to former versions in case of operational issues with a new version G. Software-induced corrupted data(base) leading to inaccessible data

Answer 63

A. Unauthorized (internal) users trying to break into systems B. Service interruption due to denial-of-service (DoS) attack C. Website defacement D. Malware attack E. Industrial espionage F. Hacktivism G. Disgruntled employee implements a time bomb which leads to data loss H. Company data stolen through unauthorized access gained by a phishing attack I. Foreign government attacks on critical systems

Answer 64

A. Inadequate performance of outsourcer in large-scale, long-term outsourcing arrangement (e.g., through lack of supplier due diligence regarding financial viability, delivery capability and sustainability of supplier’s service) B. Accepting unreasonable terms of business from IT suppliers C. Inadequate support and services delivered by vendors, not in line with SLA D. Noncompliance with software license agreements (use and/or distribution of unlicensed software) E. Inability to transfer to alternative suppliers due to overreliance or overdependence on current supplier F. Purchase of IT services (especially cloud services) by the business without consultation /involvement of IT, resulting in inability to integrate the service with inhouse services. G. Inadequate or unenforced SLA to obtain agreed services and penalties in case of noncompliance

Answer 65

A. Noncompliance with national or international regulations (e.g., privacy, accounting, manufacturing, environmental, etc.) B. Lack of awareness of potential regulatory changes that may have a business impact C. Operational obstacles caused by regulations D. Failure to comply with internal procedures

Answer 66

A. Lack of access due to disruptive incident in other premises B. Government interference and national policies impacting the business C. Targeted action from government-sponsored groups or agencies

Answer 67

A. Facilities and building inaccessible because of labor union strike B. Third-party providers unable to provide services because of strike C. Key staff unavailable through industrial action (e.g., transportation or utilities strike)

Answer 68

A. Earthquake destroying or damaging important IT infrastructure B. Tsunami destroying critical premises C. Major storms and tropical cyclone or tornado damaging critical infrastructure D. Major wildfire E. Flooding F. Rising water table leaving critical location unusable G. Rising temperature rendering critical locations uneconomical to operate

Answer 69

A. Failure to identify new and important technology trends B. Failure to appreciate the value and potential of new technologies C. Failure to adopt and exploit new technologies in a timely manner (functionality, process optimization, etc.) D. Failure to provide technology support new business models

Answer 70

A. Environmentally unfriendly equipment (e.g., power consumption, packaging)

Answer 71

A. Discovery of sensitive information by unauthorized persons due to inefficient retaining/archiving/disposing of information B. Intentional illicit or malicious modification of data C. Unauthorized disclosure of sensitive information through email or social media D. Loss of IP and/or leakage of competitive information

Answer 72

A related method for an I&T risk assessment for the enterprise is to consider which I&Trelated issues it currently faces, or, in other words, what I&T-related risk has materialized.

Answer 73

Frustration between different IT entities across the organization because of a perception of low contribution to business value

Answer 74

Frustration between business departments (i.e., the IT customer) and the IT department because of failed initiatives or a perception of low contribution to business value

Answer 75

Significant IT related incidents, such as data loss, security breaches, project failure, application errors, etc. linked to IT

Answer 76

Service delivery problems by the IT outsourcer(s)

Answer 77

Failures to meet IT related regulatory or contractual requirements

Answer 78

Regular audit findings or other assessment reports about poor IT performance or reported IT quality or service problems

Answer 79

Substantial hidden and rogue IT spending, that is, IT spending by user departments outside the control of the normal IT investment decision mechanisms and approved budgets

Answer 80

Duplications or overlaps between various initiatives or other forms of wasting resources

Answer 81

Insufficient IT resources, staff with inadequate skills or staff burnout/dissatisfaction

Answer 82

IT-enabled changes or projects frequently failing to meet business needs and delivered late or over budget

Answer 83

Reluctance by board members, executives or senior management to engage with IT, or lack of committed business sponsors for IT

Answer 84

Complex IT operating model and/or unclear decision mechanisms for IT-related decisions

Answer 85

Excessively high cost of IT

Answer 86

Obstructed or failed implementations of new initiatives or innovations caused by the current IT architecture and system

Answer 87

Gap between business and technical knowledge which leads to business users and IT and/or technology specialists speaking different languages

Answer 88

Regular issues with data quality and integration of data across various sources

Answer 89

High level of end-user computing, creating (among other problems) a lack of oversight and quality control over the applications that are being developed and put in operation

Answer 90

High level of end-user computing, creating (among other problems) a lack of oversight and quality control over the applications that are being developed and put in operation

Answer 91

Business departments implementing their own information solutions with little or no involvement of the enterprise IT department

Answer 92

Ignorance and/or noncompliance with security and privacy regulations

Answer 93

Inability to exploit new technologies or to innovate using I&T

Answer 94

The threat landscape under which the enterprise operates can be classified

Answer 95

The enterprise is operating under what are considered normal threat levels

Answer 96

Due to its geopolitical situation, industry sector or particular profile, the enterprise is operating in a high-threat environment.

Answer 97

The compliance requirements to which the enterprise is subject to and can be classified according to the categories: **Low compliance requirements **Normal compliance requirements **High compliance requirements

Answer 98

The enterprise is subject to a minimal set of regular compliance requirements that are lower than average.

Answer 99

The enterprise is subject to a minimal set of regular compliance requirements that are lower than average.

Answer 100

The enterprise is subject to a set of regular compliance requirements that are common across different industries.

Answer 101

The enterprise is subject to higher than average compliance requirements, most often related to industry sector or geopolitical conditions.

Answer 102

The role of IT for the enterprise can be classified as Support, Factory, Turnaround and Strategic.

Answer 103

IT is not crucial for the running and continuity of the business process and services, nor for their innovation.

Answer 104

When IT fails, there is an immediate impact on the running and continuity of the business processes and services. However, IT is not seen as a driver for innovating business processes and services.

Answer 105

IT is seen as a driver for innovating business processes and services. At this moment, however, there is not a critical dependency of IT for the current running and continuity of the business processes and services.

Answer 106

IT is critical for both running and innovating the organization’s business processes and services.

Answer 107

The sourcing model the enterprise adopts can be classified as: **Outsourcing **Cloud **Insourced **Hybrid

Answer 108

The enterprise calls upon the services of a third party to provide IT services.

Answer 109

The enterprise maximizes the use of the cloud for providing IT services to its users.

Answer 110

The enterprise provides for their own IT staff and services.

Answer 111

A mixed model is applied, combining the three models above in varying degrees.

Answer 112

The methods the enterprise adopts can be classified as noted: **Agile **DevOps **Traditional **Hybrid

Answer 113

The enterprise uses Agile development working methods for its software development.

Answer 114

The enterprise uses DevOps working methods for software building, deployment and operations.

Answer 115

The enterprise uses a more classic approach towards software development (waterfall) and separates software development and operations.

Answer 116

The enterprise uses a mix of traditional and modern IT implementation, often referred to as “bimodal IT.”

Answer 117

The technology adoption strategy can be classified as listed: **First mover **Follower **Slow adopter

Answer 118

The enterprise generally adopts new technologies as early as possible and tries to gain first-mover advantage.

Answer 119

The enterprise typically waits for new technology to become mainstream and proven before adopting them.

Answer 120

The enterprise is very late with their adoption of new technologies.

Answer 121

Two categories: **Large enterprise (default) - Enterprises with more than 250 full-time employees (FTEs) **Small and medium enterprise - Enterprise with 50 to 250 FTEs

Answer 122

Every industry sector has its own unique set of requirements regarding expectations from the use of I&T. However, it is possible to capture the key characteristics of an industry sector by a combination of the design factors listed in the preceding tables.

Answer 123

Design factors influence in different ways the tailoring of the governance system of an enterprise. This publication distinguishes three different types of impact: 1.-Management Objective Priority and Target Capability Levels 2.-Component Variations 3.-Specific Focus Areas

Answer 124

The COBIT core model contains 40 governance. and management objectives, each consisting of the process and a number of related components. They are intrinsically equivalent; there is no natural order of priority among them. However, design factors can influence this equivalence and make some governance and management objectives more important than others. Example: When an enterprise identifies the most relevant enterprise goal(s) from the enterprise goal list and applies the goals cascade, this will lead to a selection of priority management objectives. For example, when EG01 Portfolio of competitive products and services is ranked as very high by an enterprise, this will make management objective APO05 Managed portfolio an important part of this enterprise’s governance system. Example: An enterprise that is very risk averse will give more priority to management objectives that aspire to govern and manage risk and security. Governance and management objectives EDM03 Ensured risk optimization, APO12 Managed risk, APO13 Managed security and DSS05 Managed security services will become important parts of that enterprise’s governance system and will have higher target capability levels defined for them. Example: An enterprise in which the role of IT is strategic and crucial to the success of the business will requirehigh involvement of IT-related roles in organizational structures, a thorough understanding of business by IT professionals (and vice versa), and a focus on strategic processes such as APO02 Managed strategy and APO08 Managed relationships.

Answer 125

Components are required to achieve governance and management objectives. Design factors can mandate specific variations of components or can influence the importance of components. Example: Small and medium enterprises might not need the full set of roles and organizational structures as laid out in the COBIT core model, but may use a reduced set instead. This reduced set of governance and management objectives and the included components is defined in the small and medium enterprise focus area. Example: An enterprise which operates in a highly regulated environment will attribute more importance to documented work products and policies and procedures and to some roles, e.g., the compliance officer function. Example: An enterprise that uses DevOps in solution development and operations will require specific activities, organizational structures, culture, etc., focused on BAI03 Managed solutions identification and build and DSS01 Managed operations.

Answer 126

Some design factors, such as threat landscape, specific risk, target development methods, infrastructure set-up, will drive the need for variation of the core COBIT model content to a specific context. Example: Enterprises adopting a DevOps approach will require a governance system that has a variant of several generic COBIT processes, described in the DevOps focus area guidance for COBIT. Example: Small and medium enterprises have less staff, fewer IT resources, and shorter and more direct reporting lines, and differ in many more aspects from large enterprises. For that reason, their governance system for I&T will have to be less onerous, compared to large enterprises. This is described in the SME focus area guidance of COBIT.

Design Guide Chapter 1 - 3 Flashcards

(152 cards)