DM2: IT Management

Question 1

What are the five steps of a the risk management process?

Answer 1

1) Asset Identification
2) Evaluation of threats and vulnerabilities
3) Evaluation of impact
4) Calculation of risk
5) Evaluation/Response to Risk

Question 2

any circumstance or event with potential to cause harm to an information resource (e.g., disclosure, modification of data, denial of service)

Answer 2

Threat

Question 3

What are examples of typical IT assets?

Answer 3

Information/Data;
hardware;
software;
documents;
personnel

Question 4

What are common classes of threats?

Answer 4

errors, malicious attacks, fraud, theft, equipment/software failure

Question 5

What are some common types of vulnerabilities when examining IT risk?

Answer 5

Lack of user knowledge;
Lack of security functionality;
inadequate user awareness/education;
untested technology;
unprotected transmission of information

Question 6

The controls implemented to reduce the vulnerabilities identified during the risk management process

Answer 6

Countermeasures or safeguards

Question 7

The remaining level of risk after controls have been applied

Answer 7

residual risk

Question 8

The acceptable level of risk defined by management

Answer 8

risk appetite

Question 9

Level of IT risk management most concerned with the effectiveness and efficiency of IT systems and supporting infrastructure, the ability to bypass controls, loss/unavailability of key resources, and compliance

Answer 9

operational risk management

Question 10

Level of IT risk management most concerned with project complexities and project risks

Answer 10

project risk management

Question 11

Level of IT risk management most concerned with IT alignment with business strategy, competitors, and threats of evolving technology

Answer 11

strategic risk management

Question 12

risk analysis method that uses words or descriptive rankings to describe risk impact and likelihood; most often used when risk level is low

Answer 12

qualitative risk analysis

Question 13

risk analysis method where words/descriptive scales are directly associated with numeric values; used to reduce subjectivity of descriptive risks

Answer 13

semiquantitative risk analysis

Question 14

risk analysis method using numeric values to describe the likelihood and impacts of risks; uses data from historical data, past experience, theories, testing and experiments

Answer 14

quantitative risk analysis

Question 15

these help facilitate and foster the quality of enterprise IT policies and procedures and are part of governance maturity framework

Answer 15

tools, techniques, and processes (TTP)

Question 16

how IT strategies, policies, and procedures and standards are maintained, used and improved over time as the organization changes

Answer 16

quality management

Question 17

maturity model created to combine the five levels of maturity and best aligns with new software development practices (e.g., iterative development, early definition, model-based design, scalable processes, etc.)

Answer 17

capability maturity model integration (CMMI)

Question 18

maturity model that forms an infrastructure to guide enterprises in planning and implementing an effective software process. Consists of five phases: initiating, diagnosing, establishing, acting, and learning

Answer 18

IDEAL model

Question 19

what are the five phases of the IDEAL maturity model?

Answer 19

initiating, diagnosing, establishing, acting, and learning

Question 20

an enterprises approach to integrating multiple assurance processes that may include internal audit, compliance, operational risk management, and incident risk management.

Answer 20

Governance, risk, and compliance (GRC)

Question 21

process of pre-planning, scheduling, and allocating the limited IT resources to maximize efficiency in achieving enterprise objectives

Answer 21

IT resource management

Question 22

what are some of the financial benefits of IT investment?

Answer 22

cost reductions and revenue increases

Question 23

what are some of the NON-financial benefits of IT investment?

Answer 23

operations and mission performance (e.g., improved customer satisfaction, better information, shorter cycle times)

Question 24

Process for determining if the organization is pursuing the best IT-related projects to achieve enterprise goals

Answer 24

IT Portfolio management

Question 25

what are the steps needed to be taken when implementing IT portfolio management?

Answer 25

standardize terminology, ensure management commitment, agree on targets, plan portfolio management, specifiy criteria, define roles, organize tools and support

Question 26

strategy for determining which sourcing approach each IT function can use to meet the organizational needs

Answer 26

sourcing strategy

Question 27

what are some of the possible disadvantages of outsourcing?

Answer 27

costs exceeding expectation
loss of internal IT experience
loss of IT control
vendor failure
difficulty in reversing agreements
contract term issues
lack of loyalty
customer dissatisfaction
loss/leakage of data

Question 28

What must an organization do when implementing cloud services in terms of governance and management of IT?

Answer 28

ensure IT remains aligned with the business, continue to meet objectives, security is in place, and risks are managed

Question 29

Policies should be modified (or developed) to address the process of sourcing and managing/continuing cloud services.

Answer 29

TRUE

Question 30

An organization should retain visibility into security activities of cloud (e.g., change management, vulnerability reporting, etc.)

Answer 30

TRUE

Question 31

What should the primary objectives be of a an outsourcing governance process?

Answer 31

ensure continuity of service, profitability, and added value to

Question 32

what are some responsibilities that should be defined in a outsourcing governance process?

Answer 32

-ensuring contract viability through review
- governance schedules
- relationship management
- allocation resources
- continuously evaluate performance

Question 33

Governance should be preplanned and included as part of all outsourcing contracts.

Answer 33

TRUE

Question 34

What is a critical for an IS auditor to identify when reviewing outsourcing contracts?

Answer 34

Right-to-audit clauses (e.g., if they can be audit, what can be audited, SLAs related to requests)

Question 35

what are the three steps for developing a performance metric?

Answer 35

• establishing critical processes to meet requirements
• identifying specific, quantifiable outputs of work from processes
• establishing targets against which results can be scored

Question 36

what are areas that IS auditors should confirm performance metrics cover?

Answer 36

business contribution; performance vs. strategic goals; GRC with regulations; user satisfaction; key IT processes; future activities

Question 37

the process of both improving perceived service performance and improving information system productivity to the highest level possible without unnecessary additional investment in the IT infrastructure

Answer 37

performance optimization

Question 38

what are the two critical success factors that enable performance optimization

Answer 38

• approval of goals by stakeholders
• acceptance of accountability for achievement of goals by management

Question 39

the performance optimization methodology using an iterative, four-step process used for the control and continuous improvement of processes

Answer 39

PDCA (plan, do, check, act)

Question 40

in PDCA, what does the “P” stand for?

Answer 40

Plan - establishing objectives and processes to deliver results

Question 41

in PDCA, what does the “D” stand for?

Answer 41

Do - implement the plan

Question 42

in PDCA, what does the “C” stand for?

Answer 42

Check - study the results and compare against expected results

Question 43

in PDCA, what does the “A” stand for?

Answer 43

Act - request corrective actions on significant differences from actual and expected results

Question 44

Technique of performance optimization that is a data-driven process analysis approach. It uses measurement-oriented strategies focused on improvement and defect reduction, where a “defect” is anything outside of expectation

Answer 44

Six Sigma

Question 45

What is the main difference between the Six Sigma and Lean Six Sigma?

Answer 45

Lean six sigma eliminates unnecessary steps that dont add value

Question 46

This is a process management evaluation technique that, in addition to traditional evaluations (e.g., financials), includes measures with customer satisfaction, internal processes, and the organizations ability to innovate.

Answer 46

IT Balanced Scorecard (IT BSC)

Question 47

The thorough analysis and significant redesign of business processes and management systems to establish better performing, more responsive processes

Answer 47

business process reengineering (BPR)

Question 48

What are the four perspectives of an effective IT BSC?

Answer 48

Mission (goal), Strategies (ways to achieve), Measures (ways to monitor), and Sources (whose responsible)

Question 49

the planned and systematic pattern of all actions necessary to provide adequate confidence that an item or product conforms to established technical requirements; this ensures IT personnel are following prescribed procedures

Answer 49

Quality assurance (QA)

Question 50

observation techniques and activities used to fulfill requirements for quality, such as conducting test to verify products are free of defects and meet requirements.

Answer 50

Quality control (QC)