DM2: IT Governance

Question 1

involves practices by which an enterprise is directed and controlled, including ethical issues, decision making, and overall practices within the organization

Answer 1

corporate governance

Question 2

leadership and organizational structures and processes that ensure enterprise IT sustains and extends strategies and objectives

Answer 2

IT governance

Question 3

System comprised of stakeholders, Board members, senior mgmt, customer, and other departments that participate in IT decision making processes

Answer 3

Enterprise governance of information and technology (EGIT)

Question 4

Guides the development and management of a comprehensive and cost-effective information security program

Answer 4

information security framework

Question 5

Who is responsible for information security governance?

Answer 5

CEO and Board of Directors through management and resources

Question 6

information security strategy to measure, monitor, and report on information security processes to ensure objectives are met.

Answer 6

Performance management

Question 7

information security strategy to use information security knowledge and infrastructure wisely.

Answer 7

Resource management

Question 8

information security strategy to combine different assurance processes as one complete process

Answer 8

Process Integration

Question 9

who are the main contributors of IT Strategic Plans?

Answer 9

IT Dept. Management, IT Steering Committee, and Strategy Committee

Question 10

The IT Strategic Plan should consider:

Answer 10

1) Functional fit of IT infrastructure and key support processes
2) ROI of existing IT and legacy systems
3) maintenance cost of existing systems and costs of new initiatives/systems

Question 11

IT Strategic plans should be synchronized with overall business strategy.

Answer 11

TRUE

Question 12

Operation and business development plans should be considered in IT Strategy.

Answer 12

TRUE

Question 13

Business goals should be considered when updating and communicating IT Strategy.

Answer 13

TRUE

Question 14

What is needed to deliver effective Business Intelligence?

Answer 14

A data governance architecture

Question 15

What are the two components of a data architecture?

Answer 15

enterprise data flow architecture (EDFA) and logical data architecture

Question 16

Data flow layer where end users directly deal with information and includes desktop tools like spreadsheets, querying tools, reporting suites, and other applications.

Answer 16

Presentation Layer

Question 17

Data flow layer where enterprise information is stored from sources like operational data, external data, and nonoperational data.

Answer 17

Data source layer

Question 18

where all (or most) of organizational data is captured and organized to assisted with reporting and analysis.

Answer 18

Core Data Warehouse (CDW)

Question 19

Data flow layer where multiple subsets of information from data warehouse are selected and organized to meet needs of a specific business unit. Ex. OLAP

Answer 19

Data mart layer

Question 20

Data flow layer responsible for data copying, transformation into
DW format and quality control.

Answer 20

Data staging and quality layer

Question 21

Data flow layer used to connect the data storage and quality layer with data stores in the data source layer and, in the process, avoiding the need to know exactly how these data stores are organized.

Answer 21

Data access layer

Question 22

Data flow layer that is concerned with the assembly and preparation of data for loading into data marts.

Answer 22

Data preparation layer

Question 23

Data flow layer that includes “data about data”

Answer 23

Metadata Repository Layer

Question 24

Data flow layer that is used to schedule tasks necessary to build and maintain the data warehouse and populate data marts

Answer 24

Warehouse Management Layer

Question 25

Data flow layer concerned with transporting information between
the various layers. In addition to business data, this layer encompasses generation, storage and targeted communication of control messages.

Answer 25

Application messaging layer

Question 26

Data flow layer concerned with basic data communication. Included here are browser-based user interfaces and TCP/IP networking.

Answer 26

Internet/Intranet layer

Question 27

Data diagram model used to deconstruct and visualize business processes

Answer 27

Swim-lane diagrams

Question 28

Data diagram model used to outline major processes of an organization and the external parties with which the business interacts

Answer 28

Context diagrams

Question 29

EGIT framework that ensures:
-IT is aligned with the business
-IT enables the business and maximizes benefits
-IT resources are used responsibly
-IT risks are managed appropriately

Answer 29

COBIT

Question 30

EGIT framework that is a set of best practices to guide organizations in implementing and maintainig information security programs.

Answer 30

ISO/IEC 27000

Question 31

EGIT framework focused on service management and how to achieve successful operational service management of IT and deliver business value

Answer 31

ITIL

Question 32

Maturity model that focuses on security

Answer 32

O-ISM3

Question 33

EGIT framework providing guiding principles on the effective, efficient, and acceptable use of IT within an organization.

Answer 33

ISO/IEC 38500:2015

Question 34

EGIT framework that is a specification for service management and includes specific requirements for service management improvement and guidance for application

Answer 34

ISO/IEC 20000

Question 35

practices intended to keep products and services reliable and effective; they prescribe how to accomplish something

Answer 35

standards

Question 36

What should an information security policy include?

Answer 36

-organization’s definition of information security, objectives, and scope
-management goals and strategies
-framework for setting objectives and controls (risk assessment/management)
-explanation of policies, standards, and compliance requirements
-definitions of responsibility of information security maangement
-documentation references to policies

Question 37

The information security policy should be communicated in an accessible and understandable manner.

Answer 37

TRUE

Question 38

high-level policy that includes statements on confidentiality, integrity, and availability.

Answer 38

Information management policy

Question 39

policy that generally includes information for all information resources and describes the permissions for the usage of IT and IT related resources

Answer 39

acceptable use policy

Question 40

policy that describes method for defining and granting users the access to IT resources

Answer 40

access control policy

Question 41

policy that describes the classification of data, levels of control of each classification, and the responsibilities and ownership of users

Answer 41

data classification policy

Question 42

policy that describes the parameters of and usage of desktop, mobile computing, and other tools (ex. remote work)

Answer 42

end-user computing policy

Question 43

When should information security policies be updated?

Answer 43

1) at least annually
2) after significant changes in enterprise operations
3) when new security risk is identified

Question 44

What are some things that should be considered when management performs reviews of the information security policy?

Answer 44

• stakeholder feedback
• results from other independent and management reviews
• status of current actions
• use of outsourcing
• current trends
• reported security incidents
• recommendations from relevant authorities

Question 45

Board of Directors should ensure that the organization follows laws, behaves ethically, and uses resources effectively

Answer 45

TRUE

Question 46

Board of Directors should be aware of information assets and their criticality to the business

Answer 46

TRUE

Question 47

Board of Directors should periodically review comprehensive risk assessments and business impact analysis

Answer 47

TRUE

Question 48

Board of Directors should conduct business dependency assessments of information resources

Answer 48

TRUE

Question 49

What is the role of an Information Security Steering Committee?

Answer 49

1) facilitate consensus on priorities and trade-offs
2) communicate effectively across the organization
3) confirm that security and business objectives are aligned
4) encourage desired organizational behaviors

Question 50

What is the IT Steering Committee?

Answer 50

committee that verifies if the IT department is aligned with corporate mission and objectives;

Question 51

What is the role of an IT Steering Committee?

Answer 51

1) review long/short term plans of the IT dept. to ensure they align with corporate objectives
2) review/approve major IT acquisitions
3) approve/monitor projects and budgets
4) review/approve resource strategies (in-/outsourcing)
5) determine centralization level of IT
6) develop/support information security management program
7) report to the Board of Directors the above activities

Question 52

IT position responsible for programmers and analyst who implement raw systems and maintain existing systems

Answer 52

Systems Development Manager

Question 53

Lack of segregation of duties can lead to:

Answer 53

1) misappropriation of assets
2) misstated financial statements
3) inaccurate reporting
4) improper use of funds
5) unauthorized changes to data/programs

Question 54

What are some compensating controls for lack of segregation of duties?

Answer 54

audit trails, reconciliation, exception reporting, transaction logs, supervisory reviews, independent reviews

Question 55

What are some of the documents that should be reviewed by an IS auditor for governance?

Answer 55

IT strategies, security policy documentation, org charts, job descriptions, IT steering committee reports, change program documents, operational procedures, HR manuals, QA procedures

Question 56

Documenting of an organizations IT assets in a structured manner to facilitate understanding, management, and planning for IT investments

Answer 56

Enterprise Architecture (EA)

Question 57

Enterprise architecture that attempts to clarify the complex technology choices faced by modern organizations.

Answer 57

Technology-driven EA

Question 58

Enterprise architecture that attempts to understand an organization in terms of its core value-adding and supporting processes.

Answer 58

business-driven EA

Question 59

What activity involves identifying vulnerabilities and threats to the information resources of an organization and deciding the safeguards to reduce the risk to an acceptable level?

Answer 59

Risk management

Question 60

What is the first step for creating a risk management program?

Answer 60

establishing the purpose of the program and define KPI’s to evaluate effectiveness of the program

Question 61

What is the second step for creating a risk management program?

Answer 61

Designating individuals or team to develop and implement the risk management program