Domain 2: Governance & Management of IT

Question 1

What is the difference between Governance and Management?

Answer 1

Governance aims to provide a strategy to obtain business objectives. Managment aims to implement procedures to achieve the business objectives set by the governance body.

Question 2

What is the primary reason an IS auditor should reviw the organisational chart?

Answer 2

To understand the structure of the organisation.

Question 3

Who has the final responsibility for IT governance?

Answer 3

Board of directors / CEO

Question 4

What should IT departments do in order to achieve the organisations objectives?

Answer 4

The IT department should have long and short-term plans that are consistent with the organisation’s buisness objectives.

Question 5

What is a greatest concern with respect to an organisations governance model?

Answer 5

Senior mangement does not review information security policies

Question 6

Having approved suppliers for the company’s products is related to what?

Answer 6

Strategic planning

Question 7

Who is responsible for IT governance?

Answer 7

The board of directors. They are required to ensure that IT activities are moving in the desired direction.

Question 8

An IT strategic plan should contain?

Answer 8

The IT strategic plan must contain a clear statement regarding the mission and vision of IT.

Question 9

What is the main objective of IT governance?

Answer 9

Ensuring the optimal use of technology resources

Question 10

What is the primary purpose of corporate governance?

Answer 10

Corporate governance provides a strategic direction to the organisation as a whole.

Question 11

What is COBIT?

Answer 11

The Control Objective for Information Technology is an EGIT framework that ensures IT is aligned with business objectives

Question 12

What is ISO27001?

Answer 12

ISO 27000 is a set of best practices for information security programs.

Question 13

What is ITIL?

Answer 13

The Information Technology Infrastructure Library is a detailed framework for the operational service management of IT.

Question 14

What is O-ISM3?

Answer 14

The Open Information Security Management Maturity Model is a process-based ISM maturity model for security.

Question 15

What is an IT standard?

Answer 15

An IT standard is a mandatory requirement to be followed in order to comply with a given framework or certification.

Question 16

What is a policy?

Answer 16

A policy is a set of ideas or strategies that are used as a basis for decision making. They are the high-level statements of direction by management.

Question 17

What is a procedure?

Answer 17

Procedures are detailed steps and action that help support the policy objectives.

Question 18

What are guidelines?

Answer 18

Guidelines are additional details to help execute procedures.

Question 19

What should the Information security policy contain?

Answer 19

This should contain the managements commitment for the safeguarding of information assets

Question 20

When should the information security policy be reviewed?

Answer 20

At least annually or when there is a significant change to the envrionment of the business.

Question 21

What should be the first step for the auditor after discovering that IT policies are not approved by management?

Answer 21

Report the findings.

Question 22

How can policy compliance be ensured?

Answer 22

Existing IT systems should be able to enable compliance.

Question 23

What should the Information security policy include?

Answer 23

This should include something about access control

Question 24

What is the most important factor for successful implementation of a security policy?

Answer 24

That it is delivered and acknowledged by all users

Question 25

What is the most important concern while reviewing the information security policy?

Answer 25

That the IT department’s objectives drive the policy and are not alligned with the organisations overall objectives.

Question 26

What is the most important factor in determining the appropiate level of protection?

Answer 26

The outcome of a risk assessment because it considers risks on the basis of probability and impact.

Question 27

What is the first point of reference for an IS auditor conducting an audit?

Answer 27

Approved policies.

Question 28

What is the most important factor when developing an information security policy?

Answer 28

Risk appetite as some risks will have to be accepted by the business to meet business objectives.

Question 29

Who is apart of the Strategy Committee?

Answer 29

This committee consits of members of the board and specialist non-members of the board.

Question 30

What is the overall job of the IT strategy committee?

Answer 30

To advise the board on the IT strategy.

Question 31

What is the overall job of the IT steering committee?

Answer 31

Responsible for the implementation and monitoring

Question 32

Who does ownership lie with in regards to the system development project?

Answer 32

User management

Question 33

Who does accountability for ensuring relevant controls over IS resources rest with?

Answer 33

The resource owner

Question 34

Who is ultimately responsible for internal control?

Answer 34

Senior Management

Question 35

Who has overall responsibility for system development projects?

Answer 35

The project steering committee

Question 36

Who is the most suitable person to be appointed as chair of the steering committee?

Answer 36

An executive-level officer

Question 37

What is the main advantage of EA?

Answer 37

Enterprise Architecture is to help with technology selection and adoption

Question 38

What is the best level of control when customised software is developed by a third-party vendor?

Answer 38

An escrow agreement

Question 39

What is one of the most valuable factors regarding technology transition rate?

Answer 39

Change control includes the application and execution of good change management systems

Question 40

What are all of the risk management process steps?

Answer 40

Asset identification, the identification of threat and vulnerabilites, evaluation of impact, calculation of risk and risk response

Question 41

What are all of the risk management process steps?

Answer 41

Asset identification, the identification of threat and vulnerabilites, evaluation of impact, calculation of risk and risk response

Question 42

What are the risk analysis methods?

Answer 42

Qualitative, Semi-quantitative and quantitative

Question 43

What are some risk treatment options?

Answer 43

Mitigate, Accept, Avoid, Transfer

Question 44

What is the first step when implementing a risk management program?

Answer 44

Asset identification followed by determining threats and vulnerabilites

Question 45

When auditing a organisations risk management procedure, what should be reviewed first?

Answer 45

Threats and vulnerabilities affecting the assets should be reviewed first.

Question 46

When establishing the level of acceptable risk, who does the responsibility lie with?

Answer 46

Senior business management

Question 47

What is fidelity coverage?

Answer 47

Fidelity insurance is used by an employer to protect against losses caused by a dishonest or disgruntled employee

Question 48

What is a major factor to consider in relation to offshore data storage/transfer?

Answer 48

privacy laws

Question 49

What is a concern surrounding the use of cloud services?

Answer 49

Compliance with laws and regulations

Question 50

When it is not possible to implement segregation of duties, what compensation control should be put in place?

Answer 50

Reviewing transaction and application logs will help to deter employees from misusing their powers

Question 51

What is a risk that an auditor should be aware of when reviewing a company that uses cross-training practices?

Answer 51

If all parts of a sytem are known to only one person, that person may abuse their powers

Question 52

What is the most important consideration when reviewing an approved software product list?

Answer 52

IT products should be reviewed periodcally to ensure new or emerging risks are identifed and addressed

Question 53

What clause in an outsourcing contract will help improve the level of service and reduce costs?

Answer 53

Performance bonuses as it provdes the service provider with incentives to perform

Question 54

What clause is most important when reviewing and floating a Request for Proposal?

Answer 54

References from other customers

Question 55

What is a major concern when reviewing a system development approach?

Answer 55

The lack of a quality plan in the contract

Question 56

What is the BEST control to monitor the service provision of a 3rd party?

Answer 56

Conduct periodic audit reviews

Question 57

What is the first factor to be considered when reviewing the SLA?

Answer 57

Whether the contractual warranties support the requirements of the organisation.

Question 58

What is an idemnity clause?

Answer 58

An indemnity clause is a provision in a contract that requires one party to compensate the other party for any losses or damages that they may incur as a result of the contract