Escrito por estudiantes que aprobaron Inmediatamente disponible después del pago Leer en línea o como PDF ¿Documento equivocado? Cámbialo gratis 4,6 TrustPilot
logo-home
Examen

CISA Domain 2 Exam 183 Questions with Verified Answers,100% CORRECT

Puntuación
-
Vendido
-
Páginas
49
Grado
A+
Subido en
15-03-2024
Escrito en
2023/2024

CISA Domain 2 Exam 183 Questions with Verified Answers IT management - CORRECT ANSWER the process of managing activities related to information technology operations and resources, which helps ensure that IT continues to support the defined enterprise objectives IT resource management - CORRECT ANSWER the process of pre-planning, scheduling and allocating the limited IT resources to maximize efficiency in achieving the enterprise objectives - When an organization invests its resources in an activity, it incurs opportunity costs, because it is unable to use those same resources to pursue other activities that could bring value to the enterprise ROI of an IT investment: Financial benefits - CORRECT ANSWER Impact on the organization's budget and finances such as cost reductions or revenue increases ROI of an IT investment: Non-Financial benefits - CORRECT ANSWER Impact on operations or mission performance and results; such as improved customer satisfaction, better information and shorter cycle time Value of IT: - CORRECT ANSWER - Management makes decisions about IT project selection on the basis of the perceived value of the investment - The value of an IT project is determined by the relationship between the cost involved and the benefits - IT portfolio management has explicit directive and strategic goals regarding investment by the enterprise rather than what the enterprise will divest IT Portfolio Management: - CORRECT ANSWER Organizations use IT portfolio management methodology to decide whether they are pursuing the best IT-related projects to achieve their enterprise goals portfolio inclusion criteria can be classified as financial, strategic or tactical. While these criteria should be comprehensive, the should also be able to change with changes in the organization's strategy IT Portfolio Management vs Balanced Scorecard - CORRECT ANSWER The biggest advantage of IT portfolio management is its agility in adjusting investments. While BSCs also emphasize the use of vision and strategy in any investment decision, the oversight and control of operations budgets is not the goal. IT portfolio management allows organizations to adjust investments based upon the built-in feedback mechanism. IT Management Practices IT management practices reflect the implementation of policies and procedures developed for various IT-related management activities. In most organizations, the IT department is a service (support) department. The traditional role of a service department is to help production (line) departments conduct their operations more effectively and efficiently. However, IT is an integral part of every facet of the operations of an organization and IS auditors must understand and appreciate the extent to which a well-managed IT department is crucial to achieving the organization's objectives. Management activities to review the policy/procedure formulations and their effectiveness within the IT department include practices such as HR (personnel) management, organizational change management, financial management practices and information security management. Methods of implementing portfolio management: - CORRECT ANSWER Risk profile analysis Diversification of projects infrastructure and technologies Continuous alignment with business goals Continuous improvement Steps to be taken before implementing IT portfolio management: - CORRECT ANSWER Standardize terminology Ensure management commitment Agree on targets Plan portfolio management Specify portfolio inclusion criteria Describe roles, tasks and decisions Organize tools, support and instructions Job-aid: HR Practices Human Resource Management - CORRECT ANSWER HR management relates to organizational policies and procedures for recruiting, selecting, training and promoting staff, measuring staff performance, disciplining staff, succession planning, and staff retention. The effectiveness of these activities, as they relate to the IT function, impacts the quality of staff and the performance of IT duties. Note: The IS auditor should be aware of HR management issues, but this information is not tested in the CISA exam due to its subjectivity and organizational specific subject matter. Human resource management practice: Hiring An organization's hiring practices are important to ensure that the most effective and efficient staff is chosen and that the company is in compliance with legal recruitment requirements. Some of the common controls include: • Background checks (e.g., criminal, financial, professional, references, qualifications) • Confidentiality agreements or nondisclosure agreements. Specific provision may be made in these agreements to abide by the security policies of the previous employer and not to exploit the knowledge of internal controls in that organization. • Employee bonding to protect against losses due to theft, mistakes and neglect (Note: Employee bonding is not always an accepted practice all over the world; in some countries, it is not legal.) • Conflict of interest agreements • Codes of professional conduct/ethics • Incomplete agreements Control risk includes: • Staff may not be suitable for the position they are recruited to fill. • Reference checks may not be carried out. • Temporary staff and third-party contractors may introduce uncontrolled risk. • Lack of awareness of confidentiality requirements may lead to the compromise of the overall security environment. Human resource management practice: Employee Handbo Preventing Internal Fraud: Mandatory vacation - CORRECT ANSWER - Employees required to take a vacation for generally a week - Their absence allows the company adequate opportunity to audit their work and discover any fraudulent behavior Preventing Internal Fraud: Job rotation - CORRECT ANSWER - When a job is rotated between two or more employees, they provide as checkpoints for each other's activities - Fraud is more likely to be caught when a new person examines the work processes and notices irregularities Preventing Internal Fraud: Termination Policies - CORRECT ANSWER terminations pose risk to the logical security of an organization whether they are handled on a voluntary or involuntary basis Security controls put into place around terminations attempt to reduce this risk: Control physical access - CORRECT ANSWER Ensure that employee returns all devices, access keys, ID cards and badges Security controls put into place around terminations attempt to reduce this risk: Control logical access - CORRECT ANSWER To keep terminated employees from accessing sensitive information, delete or revoke assigned log-in credentials at the time of termination Security controls put into place around terminations attempt to reduce this risk: Notify staff - CORRECT ANSWER Send notification to alert appropriate staff and security personnel regarding an employee's termination Security controls put into place around terminations attempt to reduce this risk: Control payroll - CORRECT ANSWER Remove terminated employees from active payroll files after full and final payment settlements Security controls put into place around terminations attempt to reduce this risk: Gain insight - CORRECT ANSWER Whenever an employee leaves voluntarily, conduct an exit interview to gather insight on the employee's perception of management Change Management: - CORRECT ANSWER Constant changes occur in the business landscape, such as new technological developments, introduction of new regulation or amendment of existing regulations and new competitors Organizations must be able to quickly adapt to these changes by making adjustments in their strategy, structure, processes, products or technologies Organizational Change Management framework: organizational change management is a framework built around the dynamic needs and abilities of an organization - CORRECT ANSWER This framework involves use of a clear documented process to identify and apply beneficial technology improvements at the infrastructure and application levels Significant levels of organizational change generate complexity, which increases uncertainty and risk IS auditors can support the transition phase by providing independent and objective assurance that risks are identified, assessed and managed well Organizational Change Management: Role of IT Department - CORRECT ANSWER - Stay well-informed of technology changes - Obtain senior management commitment - Work with each functional area and its management - Develop a communication process with the end users - Provide a method for obtaining user feedback and involvement - Obtain user feedback throughout the project Financial Management Practices: User-pays scheme - CORRECT ANSWER Financial management practice in which the cost of IS services, including staff time, computer time and other relevant cost, is charged back to the end users The practice is usually set forth by the board and jointly implemented by the CFO, user management and US management. User-pays schemes help business managers to be more sensitive towards the cost of IT investments and activities and force them to make most efficient use of IT resources IS Budgets - CORRECT ANSWER An effective IS budget includes planned expenses as well as any anticipated revenues, and is needed for forecasting, monitoring and analyzing financial information Having a solid IS budget promotes thoughtful allocation of funds, especially in an IS environment where expenses can be cost-intensive Because many technology expenses comprise major projects that take extended periods of time to complete, a typical IS budget includes both short- and long-term projects International Accounting Standards Board (IASB) - software development - CORRECT ANSWER Publishes standards that require companies to have a detailed understanding of tier development efforts, including time spent on specific projects and activities Where standards are not in use, there may be something similar established by regional authorities or internal governance It is important for an IS auditor to understand these requirements and the practices used by companies to track software development costs, both for operational reasons and to ensure compliance IAS 38 (intangible assets) outlines the accounting requirements for non-monetary assets and specifies that organizations should demonstrate how these intangible assets will generate probable future economic benefits Information Security Management (ISM) - - describes the establishment and use of controls that ensure protection of assets from threats and vulnerabilities to preserve their confidentiality, availability and integrity - CORRECT ANSWER Involves implementation of an organization-wide information security program related to IT department functions in alignment with the organization's critical business processes A typical ISM program includes: - Business impact analysis (BIA)Business continuity planning (BCP) - Disaster recovery planning (DRP) ISM involves the application of risk management processes to IT assets, including steps to first identity and then mitigate risk to an acceptable level as determined by management, as well as monitoring residual risk Sourcing practices relate to the way in which the organization will obtain the IT functions required to support the business. - CORRECT ANSWER Organizations can perform all the IT functions in-house (known as "insourcing") in a centralized fashion or outsource all functions across the globe. The sourcing strategy should consider each IT function and determine which approach allows the IT function to meet the enterprise's goals. Delivery of IT functions can include: • Insourced—fully performed by the organization's staff • Outsourced—fully performed by the vendor's staff • Hybrid—performed by a mix of the organization's and vendor's staffs; can include joint ventures/supplemental staff IT functions can be performed across the globe, taking advantage of time zones and arbitraging labor rates, and can include: • Onsite—staff works onsite in the IT department. • Offsite—also known as nearshore, staff works at a remote location in the same geographic area. • Offshore—staff works at a remote location in a different geographic region. The organization should evaluate its IT functions and determine the most appropriate method of delivering the IT functions, considering the following: • Is this a core function for the organization? • Does this function have specific knowledge, processes and staff critical to meeting its goals and objectives, and that cannot be replicated externally or in another location? • Can this function be performed by another party or in another location for the same or lower price, with the same or higher quality, and without increasing risk? • Does the organization have experience managing third parties or using remote/offshore locations to execute IS or business functions? • Are there any contractual or regulatory restrictions preventing offshore locations or use of foreign nationals? On completion of the sourcing strategy, the IT steering committee should review and approve the strategy. At t IS Auditor's role in risk of outsourcing: - CORRECT ANSWER -The vendor provided services and the functional requirements these services address -Vendors' service level agreements that are in place -Suppliers' financial viability, licensing scalability and provisions for software escrow -Importance of the requirements specification in the request for proposal (RFP) -Need for specifying required security controls -Criteria for vendor selection to ensure that a reliable and professional vendor is chosen -Escrow requirements -Contractual right to audit or equivalent Outsourcing practices and strategies - CORRECT ANSWER The decision to outsource is a strategic decision. The organization that outsources effectively reconfigures its value chain by retaining core business activities and outsourcing non-core activities Management of the client organization is accountable for the transparency and ownership of any decision-making process involving outsourcing. Organizations should ensure that risk is properly managed and that there is continued delivery of value from the service provider Globalization practices and strategies - globalization of IT functions may require management to oversee remote or offshore locations. The IS auditor should ensure that all the risks and audit concerns are considered when defining the globalization strategy - CORRECT ANSWER - Legal, regulatory and tax issues - Continuity of operations - Personnel - Telecommunication issues - Cross-boarder and cross-cultural issues Globalization practices and strategies - Legal, regulatory and tax issues - CORRECT ANSWER Operating in a different country or region may introduce new risks about which an organization may have limited knowledge. Foreign business practices may also be substantially different from those known domestically Globalization practices and strategies - Continuity of operations - CORRECT ANSWER Business continuity and disaster recovery may not be adequately addressed and tested Globalization practices and strategies - Personnel - CORRECT ANSWER Modifications required to personnel policies may not be fully understood in the context of a global workforce Globalization practices and strategies - Telecommunication issues - CORRECT ANSWER Network controls and access from remote or offshore locations may be subject to more frequent outages or a larger number of security exposures Globalization practices and strategies - Cross-boarder and cross-cultural issues - CORRECT ANSWER Managing people and processes across multiple time zones, languages and cultures may present unplanned challenges and problems Cross-border data flow may also be subject to legislative requirements, such as encryption of data during transmissions Outsourcing and third-party audit reports - CORRECT ANSWER Cover a range of issues related to confidentiality, integrity and availability of data Take the place of in-person audits by clients, which are typically not permitted under all but the most specialized outsourcing agreements SOC 1 report - CORRECT ANSWER report on the service organization's system controls likely to be relevant to user entities' internal control over financial reporting SOC 2 report - CORRECT ANSWER report on the service organization's system controls relevant to security, availability, processing integrity, confidentiality or privacy, including the organization's compliance with its own privacy practices SOC 3 report - CORRECT ANSWER a high-level compliance report, similar to SOC 2 but without detailed information about the design of controls and the test performed by auditor (no sensitive information) Outsourcing and Third-party audit reports: IS Auditor's role - CORRECT ANSWER Management statements - IS auditors should be familiar with management statements and assertions, as well as how well these assertions address the services being provided SSAE 18 reports Additional third-party audit reports - IS auditors should be aware of additional third-party reports, such as penetration tests and security assessments performed by independent, objective and competent third parties Processes - IS auditors should know how to obtain reports, review them and present results to management for further action Cloud governance - when organizations opt for cloud computing to receive IT services, they should take care to ensure that IT goals are aligned with the business goals, systems are secure and risks are managed - CORRECT ANSWER Among the several factors to consider while dealing with cloud technology and service providers are: - Goal setting - Policy and standard development - Role and responsibility definition - Risk management Potential change areas for cloud governance - businesses/IT processes: data processing, development and information retrieval - Process detailing the way information is stored, archived and backed up - Policies that address the process of sourcing, managing and discounting the use of cloud services Responsibility of the organization in regards to outsourcing - Maintaining sufficient overall control and visibility into all security aspects of sensitive or critical information and facilities managed by the third party -Ensuring that the organization retains visibility in security activities such as change management, identification of vulnerabilities and information security incident reporting/response Governance in outsourcing: introduction - CORRECT ANSWER The decision to outsource and subsequently successfully manage that relationship demands effective governance The outsourcing governance process: --Ensures continuity of service at the appropriate levels , profitability and added value to sustain the commercial of both parties --Involves setting of responsibilities, role, objectives, interfaces and controls required to anticipate change and manage the introduction, maintenance, performance, costs and control of the services provided by the third-party Clients and service providers should adopt a common, consistent and effective approach that identifies the necessary information, relationships, controls and exchanges among all stakeholders across both parties Governance in outsourcing: responsibilities - CORRECT ANSWER Ensure contractual viability - use continuous review and improvement to promote benefits for both parties Scheduling governance activities - include an explicit governance schedule in the contract Manage the relationship - ensure that contractual obligations are met through service level agreements and operating level agreements Manage stakeholders - identify all stakeholders and take their relationships and expectations into account Establish roles and responsibilities - clarify decision making, and create procedures for issue escalation, dispute management, demand management and service delivery Prioritize and allocate resources - align resources, expenditures and service consumption based on prioritized needs Evaluate processes and performance - continuously review performance, cost, user satisfaction and effectiveness Communicate with stakeholders - make sure that all stakeholders are kept apprised of conditions on an ongoing basis Outsourcing in governance: business alignment - CORRECT ANSWER IT services should closely reflect the requirements and desires of the business users Organizations should recognize the services that provide them with differential advantage and outsource activities that support these services Service- and operating-level agreements should be established, monitored and measured Governance in Outsourcing: IS auditor's role - it is critical for the IS auditor to understand right-to-audit clauses and controls in outsourcing activities involving confidential information and sensitive processes. This understanding includes, but is not limited to - CORRECT ANSWER Now the contract provides for auditing of outsourced services The claimed effectiveness of preventative, detective and corrective internal controls implemented by the outsourced service provider Documentation and communication of SLAs regarding problem management and incident response Monitoring and review of third-party services: In partnerships, it is important for an organization to regularly monitor and review third-party services to ensure: - CORRECT ANSWER Adherence to the information security terms and conditions of the agreements Ability to manage any information security incidents and problems properly Monitoring and review of third-party services: To monitor and review third-party services, organizations need to - CORRECT ANSWER Monitor service performance levels Review service reports produced by the third-party Arrange regular progress meetings Provide information about security incidents Review third-party audit trails and records Resolve and manage identified problems Monitoring and review of third-party services: - organizations may make changes to the provision of third-party services as business requirements change. These changes should be managed carefully - CORRECT ANSWER Changes made by the organization: - Enhancements to services currently offered - Development of new applications and systems - Modifications or updates to the organization's policies and procedures - New controls to resolve information security incidents and improve security - Updates to policies, including the IT security policy Changes in third-party services - Changes and enhancements to networks - Use of new technologies - Adoption of new products, or newer versions/releases - New development tools and environments Other changes - Changes to physical location of service facilities - Change of vendors or subcontractors Every organization using the services of third parties should have a service delivery management system in place to implement and maintain the appropriate level of information security and service delivery in line with third-party service delivery agreements. - CORRECT ANSWER The organization should check the implementation of agreements, monitor compliance with the agreements and manage changes to ensure that the services delivered meet all requirements agreed to with the third party. Service Improvement and User Satisfaction SLAs set the baseline by which outsourcers perform the IT function. In addition, organizations can set service improvement expectations into the contracts with associated penalties and rewards. Examples of service improvements include: • Reductions in the number of help desk calls • Reductions in the number of system errors • Improvements to system availability Service improvements should be agreed on by users and IT with the goals of improving user satisfaction and attaining business objectives. User satisfaction should be monitored by interviewing and surveying users To manage IT performance effectively, organizations require a monitoring process that involves the following steps: - CORRECT ANSWER - Definition of relevant performance indicators - Systematic and timely reporting on performance - Prompt action upon discovery of deviations Measuring control over monitoring: the effectiveness of the monitoring controls can be measured by several indicators, such as: - CORRECT ANSWER - Satisfaction of management and governance participants - Number of improvement actions driven by monitoring activities - Percentage of critical processes monitoring Developing performance metrics: enterprises often use metrics tat relate to performance in a significant way, called key performance indicators (KPIs), as reliable ways to project and track performance - CORRECT ANSWER Metrics are essential tools that: - Enable enterprises to allocate and manage resources - Influence and help improve business decision-making - Describe the quality of a process relative to a baseline To develop performance metrics: - CORRECT ANSWER - Establish which processes are critical - Identify specific, quantifiable outputs of work - Establish targets for scoring results Characteristics of an effective metric: - CORRECT ANSWER - Consistent measurement - Easy data collection - Expression as numbers, percentages or other unit of measure - Specific context - Foundation in acceptable practices - Usefulness for internal and external comparison - Meaningfulness to stakeholders Developing performance metrics: IS auditor's role - an IS auditor may want to recommend that performance metrics be developed for the following areas: - CORRECT ANSWER - Business contribution in terms of finances - Performance relative to strategic business and IT plans - Risk and regulatory compliance - Internal and external user satisfaction with service levels - Solution and service delivery - future -oriented activities such as emerging technology, reusable infrastructure, business and IT personnel skills Performance optimization - IT performance optimization is the process of improving perceived service performance along with the information system productivity, without any additional and unnecessary investment in the IT infrastructure - CORRECT ANSWER Effective governance promotes overall performance optimization. This is achieved when: - Goals are set from the top down and aligned with high level business objectives - Metrics are established from the bottom up and aligned in a way that enables management to monitor the achievement of goals at all levels Overall performance optimization is enabled by two critical governance success factors: - CORRECT ANSWER - The approval of goals by stakeholders - The acceptance of accountability by management Performance optimization can be achieved by using one or more proven performance improvement and optimization methodologies: - CORRECT ANSWER Continuous improvement methodologies, such as the plan-do-check-act (PDCA) cycle, six sigma and business process reengineering (BPR) Comprehensive best practices such as the Information Technology Infrastructure Library (ITIL) Frameworks such as the control objectives for information and related technology (COBIT) Plan-do-check-act (PDCA) - an iterative technique used in business to control and continuously improve processes and products - CORRECT ANSWER Plan - establish the objectives and processes necessary to deliver results in accordance with the targets or goals Do - implement the plan, execute the process and make the product. Collect data for charting and analysis in the later stages of the cycle Check - study the actual data measured and collected in the previous step. Then, compare the data against the expected targets and goals to identify the differences. Look for deviations in the implementation of the plan and check the appropriateness of the plan. Chart the collected data Act - call for corrective actions on significant differences between actual and planned results. Analyze the differences to determine their root causes. Determine where to apply changes that will include improvement of the process or product Continuous improvement methodologies: using PDCA - CORRECT ANSWER Combing PDCA with techniques for agile development allows organizations to reassess the direction of projects at different points throughout the development life cycle There are several related techniques for agile development. Most use sprints or iterations that require working groups to produce a functional product. Agile methodology is described as iterative and incremental because of its focus on abbreviated work cycles Continuous improvement methodologies: Six sigma - CORRECT ANSWER a quantitative approach to process analysis. Its objective is to implement a measurement-oriented strategy focused on process improvement and defect reduction. A six sigma defect is defined as anything outside customer specifications. Lean six sigma is a variation of the basic model, which also seeks to eliminate unnecessary steps that add no value Continuous improvement methodologies: Business process reengineering (BPR) - CORRECT ANSWER the thorough analysis and significant redesign of business processes and management systems to establish a structure that performs better. This may mean that it is more responsive to the customer base and market conditions, yields material cost savings, or both Tools and techniques that facilitate measurements: IT Balanced Scorecard (IT BSC) - CORRECT ANSWER - a management evaluation technique that looks at multiple factors when assessing performance and can be applied to enterprise governance for assessing IT functions and processes Technique aims at achieving the following objectives: - Establish a structure for management reporting to the board - Foster consensus among key stakeholders about IT's strategic aims - Demonstrate the effectiveness and added value of IT - Communicate IT's performance, risk and capabilities Tools and techniques that facilitate measurements: Key Performance Indicators (KPIs) - CORRECT ANSWER a metric that determines whether a process is performing well towards achieving the target goals. The criteria for operational level and effectiveness of controls are based on KPIs that indicated whether a control is functioning correctly or not Tools and techniques that facilitate measurements: Benchmarking - CORRECT ANSWER a systematic approach to finding the best ways to conduct business by comparing enterprise performance against peers and competitors. Two areas where benchmarking is commonly used are quality and logistic efficiency Tools and techniques that facilitate measurements: Root cause analysis - CORRECT ANSWER diagnosis of the origins or root causes of events. Once these root causes are identified, controls can be developed to accurately address these causes that lead to system failures and deficiencies. Root cause analysis enables an organization to learn from consequences and not repeat undesired actions or results in the future Tools and techniques that facilitate measurements: Life cycle cost-benefit analysis - CORRECT ANSWER this technique involves first determining the life cycle used for organizational investment, then estimating costs of maintenance or updates, failure and maintaining interoperability with mainstream and emerging technologies. These are compared with user and business-operation costs derived from information systems, with the goal of identifying the overall benefit that an organization sees from its investments in IT Quality Assurance Processs - CORRECT ANSWER Typically incorporate within a planned and systematic set of actions to ensure the conformation of products to the technical requirements QA personnel play the following roles in an organization - Verify system changes -verify that processes are in place and used to authorize, test and implement system changes in a controlled manner prior to being introduced into the production environment according to an organization's change and release management policies - Supervise program - with the assistance of source code management software, QA personnel also typically oversee the proper maintenance of program versions and source code to object integrity Quality Management: Scope - CORRECT ANSWER - Software development - Software maintenance - Software implementation - Acquisition of hardware - Acquisition of software - Day-to-day operations - Service management - Security - HR management - General administration Quality management - CORRECT ANSWER The development and maintenance of defined and documented processes by the IT department is evidence of effective governance of information resources For effectiveness and efficiency of IT operations, it is important to insist on the observance of processes and process management techniques Organizations use quality standards to achieve an operational environment that is predictable, measurable and repeatable for their IT resources IT governance - CORRECT ANSWER consists of the leadership and organizational structures and processes that ensure the enterprise sustains and extends strategies and objectives Aims at: - Providing strategic direction - Helping achieve business objectives - Managing risks - Ensuring effective use of resources Involves: - Setting objectives for enterprise's IT - Creating a continuous loop to measure performance - Evaluating against objectives - Taking action The best approach to is foster IT governance through corporate governance practices Corporate governance - CORRECT ANSWER involves practices by which an enterprise is directed and controlled. It includes ethical issues, decision making and overall practices within the organization: - Provides structure to set company objectives, monitor performance and attain objectives - Helps build trust, transparency and accountability Enterprise governance of information and technology (EGIT) - CORRECT ANSWER EGIT monitors IT activities and ensures that the enterprise exploits opportunities and maximizes benefits. It is responsible for proper use of IT resources and IT risk management Enterprise governance involves established controls and resource management. Results are measured and reported, providing input to the cyclical revision and maintenance of controls Board of directors and executive management: (EGIT) - CORRECT ANSWER - Manage EGIT on behalf of all stakeholders (internal and external) - Ensure systems and IT controls are implemented - Ensure IT resources are used for the interest of stakeholders IT governance ensures information and related technology support the enterprise's business objectives through: - CORRECT ANSWER - Strategic alignment - Value delivery - Responsible use of resources - Risk management - Performance measurement Auditor's Role in EGIT - CORRECT ANSWER IS audit goals for EGIT: - CORRECT ANSWER Compliance with EGIT initiatives Continuous monitoring, analysis and evaluation of the EGIT metrics Before conducting an EGIT audit, we should: - CORRECT ANSWER Verify if the terms of reference are comprehensive - Scope of the work, incorporating a clear definition of the functional areas and issues to be covered - Reporting line to be used, where EGIT issues are identified to the highest level of the organization Ensure that all relevant senior stakeholders are included in the audit As IS auditors, we need to assess the following EGIT aspects: - CORRECT ANSWER - Alignment of enterprise governance and Egit - Alignment of the IT function with organization's mission, vision, values, objectives and strategies - Achievement of performance objectives (business and IT) - Legal, environmental, information quality, fiduciary, security and privacy requirements - Control environment of the organization - Inherent risks within the IS environment - IT investment/expenditure Security for information - CORRECT ANSWER Threats to information security are mainly due to: - CORRECT ANSWER Values that drive information Security - CORRECT ANSWER The purpose of information security governance is twofold - CORRECT ANSWER An information security governance framework generally consists of: - CORRECT ANSWER A comprehensive security strategy linked with business objectives Security policies regarding strategy, controls and regulation A complete set of standards for compliance of procedures and guidelines with policy Effective security that does not have conflicts of interest Institutionalized monitoring processes CEO's role in information security governance - CORRECT ANSWER Effective Information Security Governance: Role of Senior Management - CORRECT ANSWER Effective Information Security Governance: Protection Efforts - CORRECT ANSWER The latest approach to information security covers data, information and knowledge regardless of where they are created, received, processed, transported or stored and disposed. Data sources include blogs, newsfeeds, peer-to-peer or social networks and web sites Protection efforts should encompass the process that generates information as well as the continued preservation of information generated as a result of the controlled process Effective Information Security Governance: Strategies - CORRECT ANSWER Performance measurement: - Used to measure, monitor and report on information security processes to ensure that SMART (Specific, measurable, attainable, realistic and timely) objectives are met. To apply this technique: -- Have a defined, consensual and meaningful set of metrics aligned with strategic objectives -- Identify shortcomings and provide feedback on the resolution process -- Conduct external assessments and audits to validate security governance Resource management: - Use information security knowledge and infrastructure wisely. To manage resources: -- Ensure that knowledge is captured and available -- Document security processes and practices -- Develop security architecture to define and use infrastructure resources efficiently Process integration: - Combine different assurance processes as one complete process by using this technique: -- Void the difficulty of tracking the effectiveness of fragmented security processes -- Improve overall security and operational efficiency Plans (IT strategy) - CORRECT ANSWER - Leverage IT to improve business processes - Align with the organizational goals and objectives - Identify cost-effective IT solutions and opportunities - Identify and acquire IT resources Main contributors of IT strategic plans: - CORRECT ANSWER - IT Department Management - IT Steering Committee - Strategy Committee IS strategic planning depends on the: - CORRECT ANSWER - Enterprise's requirements for new and revised information systems - IT capacity to deliver new functionality through well-governed projects Determining requirements for new and revised information systems involves: - CORRECT ANSWER - Systematic consideration of enterprise's strategic intentions - Implication on business objectives and initiatives - IT capablitities required IS Strategic Planning: IT Capacity - CORRECT ANSWER IS Strategic planning review: - CORRECT ANSWER Consider the control practices when reviewing strategic planning process/framework Ensure that IT strategic plans are synchronized with the overall business strategy Assess if operational, tactical or business development plans are included in the IT strategies and plans Consider business goals when updating and communicating IS plans, monitoring and evaluating IT requirements Examine the role of the IT department in creation of overall business strategy Business Intelligence - CORRECT ANSWER includes collection and analysis of information to assist in decision making and assessing organizational performance Data governance - CORRECT ANSWER - Maximizes the benefits of business intelligence - Enables establishing standard definitions for data, business rules and metrics - Identifies approved data sources - Establishes standards for data reconciliation and balancing - Identifies business intelligence initiatives to fund - Prioritizes business intelligence initiatives - Measure ROI on business intelligence initiatives Business/IT advisory team for Business Intelligence funding: - CORRECT ANSWER - Allows representing different functional perspectives - Recommends invest priorities - Establishes cross-organization benefit measures EGIT framework - CORRECT ANSWER Examples of EGIT framework - CORRECT ANSWER COBIT ISO/IEC 27000 ITIL O-ISM3 ISO/IEC 38500:2015 ISO/IEC 20000 ISO 3100:2018 COBIT (Control Objectives for Information and related Technology) - CORRECT ANSWER A framework developed by the Information Systems Audit and Control Association and the IT Governance Institute. Defines the goals for the controls that should be used to properly manage IT and ensure IT maps to business needs. Four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate ISO/IEC 27000 - CORRECT ANSWER Governance framework specifically for IT security. Really, a family of standards. ITIL - CORRECT ANSWER The Information Technology Infrastructure Library (ITIL) is a set of concepts and practices for Information Technology Services Management (ITSM), Information Technology (IT) development and IT operations. ITIL gives detailed descriptions of a number of important IT practices and provides comprehensive checklists, tasks and procedures that any IT organization can tailor to its needs. O-ISM3 - CORRECT ANSWER The Open Information Security Management Maturity Model (O-ISM3) is The Open Group framework for managing information security and was developed in conjuncture with the ISM3 Consortium. O-ISM3 aims to ensure that security processes operate at a level consistent with business requirements. ISO/IEC 38500:2015 - CORRECT ANSWER ISO/IEC 38500 is the international standard for the corporate governance of information technology, and provides guidance to those advising, informing or assisting directors on the effective and acceptable use of information technology (IT) within the organization. ISO/IEC 20000 - CORRECT ANSWER ISO Specification and Code of Practice for IT Service Management. ISO/IEC 20000 is aligned with ITIL Best Practice. ISO 3100:2018 - CORRECT ANSWER ISO 31000:2018 provides guidelines on managing risk faced by organizations. The application of these guidelines can be customized to any organization and its context. Segregation of Duties (SOD) - CORRECT ANSWER - Refers to the separation of specific roles and responsibilities - Enables to manage IT risk by avoiding intentional or accidental harmful actions - Organizations traditionally use a matrix to document potential iT risks associated with the work routines of employees, offering a visual means of seeing where specific privileges, permissions and actions may overlap in ways that create risk - Segregation of duties reduces potential damage due to actions of any one person as it limits access to: -- Computers -- Production data libraries -- Production programs -- Programming documentation -- OS and associated utilities SOD helps to: - Avoid the possibility of a single person managing diverse responsibilities and critical functions - Helps to detect inappropriate segregation of duties and avoids errors or misappropriations - Helps to prevent fraudulent and/or malicious acts Absence of SoD leads to: - Misappropriation of assets - Misstated financial statements - Inaccurate financial documentation, i.e. errors or irregularities -Improper use of funds or modification of data that could go undetected -Unauthorized or erroneous changes or modification of data and programs not detected Segregation of Duties Within IT: Role of IS Auditors Aspects that vary from one organization to another - CORRECT ANSWER SOD - IS auditors need to be aware of: - CORRECT ANSWER If complex applications and systems are used, an automated tool can evaluate the actual access of each user. This tool should be customized to IT and business processes SOD - duties to segregate - CORRECT ANSWER IS auditors should understand and document the relationships among the various job functions, responsibilities and authorities. They should also assess the adequacy of the SoD SOD - Remote Logging - CORRECT ANSWER Should be enabled for privileged users in the IT department Ensure that privileged users do not have access to their own logs Helps in audit/monitoring of actions of the privileged users via segregation of duties SOD - compensating controls - CORRECT ANSWER There could be situations when duties/responsibilities cannot be distinctly segregated. An organization may not have all the positions described in the matrix. One person may be responsible for many roles. How can we ensure appropriate access rights Compensating controls can be used to reduce the risk of an existing or potential control weakness when duties cannot be appropriately segregated Control mechanisms that can strengthen SOD: - CORRECT ANSWER Transaction authority: is the responsibility of the user department. Authorization is delegated to the degree that it relates to the level of responsibility in the department. Periodic checks must be performed by management and audit to detect the unauthorized entry of transactions Custody of assets: custody of corporate assets must be determined and assigned appropriately - The data owner: - - Is assigned to a specific user department - - Is assigned to individual duties in writing - - Is responsible to determine authorization levels SOD Data access controls: - CORRECT ANSWER Physical security - aim to prevent unauthorized personnel from accessing the various physical devices connected to the central processing unit, thereby permitting access to data Information processing facility (IPF) - protect information assets from unauthorized access and from external connections System and application security - provide additional layers that may prevent unauthorized individuals from gaining access to corporate data decisions on access controls are based on organizational policy, SoD and least privilege - CORRECT ANSWER Access controls should: - Be conditional - Protect all resources - Not disrupt workflow - Not burden the authorized users and auditors Access control policies establish the levels of sensitivity for electronically stored documents labeled as: - Top secret - Secret - Confidential - Unclassified These levels are used to grant access to individuals and guide on procedures for handling information resources SOD: Authorization forms - CORRECT ANSWER - Users should be authorized to access a specific system - System owners/managers define who should access what and provide formal authorization forms to IT - These forms (hard copy or electronic) define the access rights of each individual. They must be evidenced properly with approval from management - Large companies or those with remote sites should maintain signature authorization logs. All formal requests should be compared with this log before approving - Access privileges should be reviewed periodically to ensure they are current and appropriate to the user's job functions SOD: User authorization Tables - CORRECT ANSWER - IT department builds and maintains user authorization tables using the data in authorization forms - User authorization tables define who is authorized to update, modify, delete and/or view data - The privileges are provided at system, transaction of field level. In effect, these are user access control lists - Use password or data encryption to avoid unauthorized data access - Use a control log to record user activity, review and investigate any exception entries SOD: Compensating controls for lack of SOD - evaluate the reports, applications and related processes before relying on system-generated reports or functions as compensating controls - CORRECT ANSWER Audit trails: - Audit trails are an essential component of all well-designed systems. IT/user departments/IS auditors can use audit trails to: - - Retrace the flow of a transaction - - Recreate the actual transaction flow from origination to current location of file - The IS auditor should be able to determine who initiated the transaction, the time of dat and date of entry, the type of entry, what fields of information it contained and what files it updated Exception reporting: - Exception reporting should be handled at the supervisory level - It requires evidence (initials on report) noting that the exception has been handled properly - Management should also ensure that exceptions are resolved in a timely manner Supervisory reviews: may be performed through observation and inquiry or remotely Reconciliation: - Reconciliation is the responsibility of the user department - In some organizations, limited reconciliation of applications may be performed by the data control group by suing control totals and balance sheets - This type of independent verification confirms the application is processed successfully and the data are in proper balance Transaction logs: - Manual log: a record of transactions (grouped or batched) prior to processing - Automated log: a record of transactions processed and maintained in a computer system Independent reviews; - Carried out to compensate for mistakes or intentional failures - These reviews are particularly important when duties in a small organization cannot be appropriately segregated - Such reviews will also help detect errors or irregularities Standards - CORRECT ANSWER Standards are intended to keep products and service reliable and effective by directing ways to implement proven practices Unlike frameworks, standards prescribe how to accomplish something and generally offer a means of certifying as compliant Strong standards are difficult to implement in fast-moving environments where technology and business requirements change frequently Organizations that comply with standards may have an advantage in stability over those that chase the latest technology trends before their effectiveness is proven Policies - CORRECT ANSWER Statements of management intent, expectations and direction set the stage in terms of what tools and procedures are needed for an organization Strategic policies: - Set the tone for the organization - Serve as the constitution of security governance - Remain fairly static - Example: information resources shall be controlled in a manner that effectively precludes unauthorized access Operational Policies: - Must be consistent with high-level policies - Generally apply to employees and operations - Focus at the operational level - Example: Access to Accounting systems shall be authenticated using at least two factors unless otherwise approved in writing by the CFO Information Security Policy: - CORRECT ANSWER Rules: an information security policy is a set of rules and/or statements developed to protect an organization's information and related technology Employee Behavior: The purpose of an information security policy is to guide employee behavior Control Level: Information security policies must balance protection with productivity. The cost of a control should never exceed the expected benefit to be derived Working with Information Security Policy - CORRECT ANSWER Organizational culture plays an important role in the creation of an information security policy, including its design and management. Strategic goals and the enterprise risk appetite should also be taken into consideration Once created, the information security policy should then be approved by senior management. The higher the level at which a policy is approved, the more authoritative it is within the organization in the event of conflicts The approved policy is then communicated to all relevant stakeholders, including employees, service providers and business partners, such as suppliers Having been communicated, the information security policy is thereafter used by IS auditors as a reference framework for performing various IS audit assignments. The adequacy and appropriateness of the security policy itself could also be an area of review for the IS auditor Contents of a Policy Document: - CORRECT ANSWER The information security policy should both state management's commitment and set out the organization's approach to managing information security The policy document should contain: - An organizational definition of information security, objectives, scope, and information sharing mechanism - Management intent, supporting goals and principles of information security and business strategy and objectives - Framework for setting control objectives and controls, including the structure of risk assessment and risk management - Explanation of the information security policies, principles, standards and compliance requirements - Definition of general and specific responsibilities for information security management - References to documentation Communicating Information Security Policy - CORRECT ANSWER Employees or third parties should sign or formally acknowledge a statement of intent to confirm their understanding and willingness to comply with the policy. In many organizations, this is done: - At the time of joining the organization - On a periodic basis to account for policy changes over time - When an employee's role changes significantly, such as gaining administrative privileges or management authority Information Security Policies: - CORRECT ANSWER Information management - an information management policy is generally a high-level policy that includes statements on confidentiality, integrity and availability Acceptable use - generally includes information for all information resources (hardware, software, networks, Internet, etc.) and describes the organizational permissions for the usage of IT and information-related resources Access control - describe the method for defining and granting users the access to various IT resources Data classification - typically describes the classifications, levels of control for each classification and responsibilities of all potential users, including ownership End-user computing - might describe the parameters and usage of desktop, mobile computing and other tools by users, such as whether it is acceptable to work remotely in public places Review of Information Security Policy - CORRECT ANSWER Policy should be kept updated so that it is relevant, adequate and effective for the existing IT infrastructure. However, high-level policy is rarely affected by the addition of a new software application Information security policies should be reviewed: - At regular intervals (at least annually) - When there are significant changes in enterprise/business operations - When a new security risk is identified The information security policy should have an owner who is accountable for the development, review and evaluation of the policy Although group ownership is possible, it is preferable to designate a single person as the owner, because this enhances accountability Reviews should include: - Assessment of opportunities for policy improvement - Approaches to manage information security due to changes in organizational environment, business circumstances, legal conditions or technical environment - The policy change log should include a record of each review, including its data and the person primarily responsible for carrying it out Management review - inputs: - CORRECT ANSWER - Feedback from stakeholders - Results of independent reviews - Status of preventative, detective and corrective actions - Status of preventive, detective and corrective actions - Results of previous management reviews - Process performance and information security policy compliance data - Changes that could affect the organization's approach to managing information security - Use of outsourcing or offshoring for It or business functions - Trends related to threats and vulnerabilities - Reported information security incidents - Recommendations provided by relevant authority Management review - outputs: - CORRECT ANSWER - Re-alignment of information security with business objectives - Changes in the organization's approach to managing information security and its process - Clarifications of or changes to controls objectives and controls - Improvements in the allocation of resources and/or responsibilities IS Auditor's Role in IS Policy Review - CORRECT ANSWER Information Security Procedures: - CORRECT ANSWER IS auditors review procedures to identify, evaluate and test controls established to safeguard business and aligned IT processes Testing controls on the basis of procedures helps ensure that why fulfill their objectives and makes the process efficient and practical Information Security guidelines: - CORRECT ANSWER Guidelines provide basis information that helps create and implement the procedures. What makes guidelines distinct from procedures is that guidelines provide room for individual preference and judgment Guidelines can include: - Clarification of policies and standards - Dependencies - Suggestions and examples - Narrative clarifying the procedures - Background information or tools that may be useful IT organizational structure - CORRECT ANSWER There should be an organizational structure to govern IT effectively Organizational structure is a key component for IT governance. It includes key decision-makers There are different structures and roles and responsibilities within EGIT. The actual structure depends on the size, industry and location of the enterprise IT governing committees - CORRECT ANSWER Organizations may have executive and mid-management level committees such as: - IT executive committee - IT governance committee - IT investment committee IT management committee IT Strategy Committee - Responsibility - CORRECT ANSWER Provides insight and advice to the board on topics such as: - The relevance of developments in IT from a business perspective - The alignment of IT with business direction - The achievement of strategic IT objectives - The availability of suitable IT resources skills and infrastructure to meet the strategic objectives - Optimization of IT costs, including the role and value delivery of external IT sourcing - Risk, return and competitive aspects of IT investments - Progress on major IT projects - The contribution of IT to the business (i.e. delivering the promised business value) - Exposure to IT risk, including compliance risk - Containment of IT risk - Direction to management relative to IT strategy - Drivers and catalysts for the board's IT strategy IT Steering Committee - Responsibility - CORRECT ANSWER - Decides the overall level of IT spending and how costs will be allocated - Aligns and approves the enterprise's IT architecture - Approves project plans and budgets, setting priorities and milestones - Acquires and assigns appropriate resources - Ensures that projects continuously meet business requirements, including reevaluation of the business case - Monitors project plans for delivery of expected value and desired outcomes, on time and within budget - Monitors resource and priority conflict between enterprise divisions and the IT function as well as between projects - Makes recommendations and requests for changes to strategic plans (priorities, funding, technology approaches, resources etc.) - Communicates strategic goals to project teams - Is a major contributor to management's IT governance responsibilities and practices IT Strategy Committee - Authority - CORRECT ANSWER Advises the board and management on IT strategy Is delegated by the board to provide input to the strategy and prepare its approval Focuses on current and future strategic IT issues IT Steering Committee - Authority - CORRECT ANSWER Assists the executive in the delivery of the IT strategy Oversees day-to-day management of IT service delivery and IT projects Focuses on implementation IT Strategy Committee - Membership - CORRECT ANSWER Board members and specialist non-board members IT Steering Committee - Membership - CORRECT ANSWER Sponsoring executive Business executive (key users) Chief Information Officer (CIO) Key advisors as required (i.e. IT, audit, legal and finance) Security governance - Roles and Responsibilities of senior management and boards of directors: - CORRECT ANSWER Senior management and board members have a crucial role in information security governance Strategic direction and impetis are the two main elements of effective information security governance The governance process requires commitments, resources and assignment of responsibility for information security management Board of directors/senior management: - Approve policy - Ensure monitoring - Review metrics, reports and trend analysis - Determine the effect of IS governance Board of directors in IS security - CORRECT ANSWER Senior Management Participation in IS Security - CORRECT ANSWER For effective security governance and meeting strategic objectives, senior management should set an example for the entire organization by following the procedures carefully The tone at the top must be conducive to effective security governance. Senior management's endorsement of security initiatives will drive compliance at all levels in the organization Why should senior management be involved in IS governance? - CORRECT ANSWER Organizations recognize dependence on information and the growing threats to it Due to the scope and breadth of information security, a senior organization officer must have authority and responsibility for it Legal implications extend the command structure to senior management and the board of directors Prudent management led various organizations to elevate the position of information security officer to a senior management position Organizations that fail to include top management in the governance structure may find its senior employees unaware of IS responsibility and related liability Security strategy aligned with business process: - CORRECT ANSWER Steering Committee applying Security throughout the organization: - CORRECT ANSWER Facilitate achieving consensus on priorities and trade-offs Serve as an effective communications channel across the organization Confirm that the security programs and business objectives are aligned Encourage organizational behavior to support desired security practices Members of the Information Security Standards Committee: - CORRECT ANSWER C-level executive management and senior managers from IT Business process owners HR Legal Application owners Operations Audit IT Steering Committee - CORRECT ANSWER IT Steering Committee verifies if the IT department is aligned with the corporate mission and objective. This committee is appointed by senior management to oversee the IT function and its activities The committee includes senior representatives from different departments and lines of business It is recommended that a member of the board of directors who understands risks and issue to be responsible for IT and chair this committee The duties and responsibilities of the committee should be defined in a formal charter Members of the committee should know IT department policies, procedures and practices They should have the authority to decide for their areas Functions of IT Steering Committee: - CORRECT ANSWER Review long and short range plans of the IT department to ensure they align with corporate objectives Review and approve major acquisitions of hardware and software as approved by the board of directors Approve and monitor major projects and the status of IS plans and budgets, establish priorities, approve standards and procedures and monitor overall IS performance Review and approve sourcing strategies for IS activities, including insourcing or outsourcing, and the globalization or offshoring of functions Review and allocation of resources in terms of time, personnel and equipment Decide regarding centralization versus decentralization and assignment of responsibility Support development and implementation of an enterprise-wide information security management program Report to the board of

Mostrar más Leer menos
Institución
CISA Domain 2
Grado
CISA Domain 2











Ups! No podemos cargar tu documento ahora. Inténtalo de nuevo o contacta con soporte.

Escuela, estudio y materia

Institución
CISA Domain 2
Grado
CISA Domain 2

Información del documento

Subido en
15 de marzo de 2024
Número de páginas
49
Escrito en
2023/2024
Tipo
Examen
Contiene
Preguntas y respuestas

Temas

$12.99
Accede al documento completo:

¿Documento equivocado? Cámbialo gratis Dentro de los 14 días posteriores a la compra y antes de descargarlo, puedes elegir otro documento. Puedes gastar el importe de nuevo.
Escrito por estudiantes que aprobaron
Inmediatamente disponible después del pago
Leer en línea o como PDF

Conoce al vendedor

Seller avatar
Los indicadores de reputación están sujetos a la cantidad de artículos vendidos por una tarifa y las reseñas que ha recibido por esos documentos. Hay tres niveles: Bronce, Plata y Oro. Cuanto mayor reputación, más podrás confiar en la calidad del trabajo del vendedor.
SuperGrade Chamberlain College Of Nursing
Seguir Necesitas iniciar sesión para seguir a otros usuarios o asignaturas
Vendido
35
Miembro desde
3 año
Número de seguidores
11
Documentos
2203
Última venta
1 mes hace
Excellent Academic Material ,test, assignment, summary ,study Guide and test bank

Am best tutor in different course and assisting student is my first priority by providing them with quality work to enable them to success in their career chose my work for excellent grade, all the best

4.4

8 reseñas

5
4
4
3
3
1
2
0
1
0

Por qué los estudiantes eligen Stuvia

Creado por compañeros estudiantes, verificado por reseñas

Calidad en la que puedes confiar: escrito por estudiantes que aprobaron y evaluado por otros que han usado estos resúmenes.

¿No estás satisfecho? Elige otro documento

¡No te preocupes! Puedes elegir directamente otro documento que se ajuste mejor a lo que buscas.

Paga como quieras, empieza a estudiar al instante

Sin suscripción, sin compromisos. Paga como estés acostumbrado con tarjeta de crédito y descarga tu documento PDF inmediatamente.

Student with book image

“Comprado, descargado y aprobado. Así de fácil puede ser.”

Alisha Student

Preguntas frecuentes