CISAβCertified Information Systems Auditor - Part 214
1. The PRIMARY benefit of implementing a security program as part of a security governance framework is the:
A) alignment of the IT activities with IS audit recommendations.
B) enforcement of the management of security risks.
C) implementation of the chief information security officer's (CISO) recommendations.
D) reduction of the cost for IT security.
2. An IS auditor who is reviewing incident reports discovers that, in one instance, an important document left on an employee's desk was removed and put in the garbage by the outsourced cleaning staff. Which of the following should the IS auditor recommend to management?
A) Stricter controls should be implemented by both the organization and the cleaning agency.
B) No action is required since such incidents have not occurred in the past.
C) A clear desk policy should be implemented and strictly enforced in the organization.
D) A sound backup policy for all important office documents should be implemented.
3. During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization's operational risk documentation only contains a few broadly described IT risks. What is the MOST appropriate recommendation in this situation?
A) Create an IT risk management department and establish an IT risk framework with the aid of external risk management experts.
B) Use common industry standard aids to divide the existing risk documentation into several individual risks which will be easier to handle.
C) No recommendation is necessary since the current approach is appropriate for a medium-sized organization.
D) Establish regular IT risk management meetings to identify and assess risks, and create a mitigation plan as input to the organization's risk management.
4. The IT balanced scorecard is a business governance tool intended to monitor IT performance evaluation indicators other than:
A) financial results.
B) customer satisfaction.
C) internal process efficiency.
D) innovation capacity.
5. Before implementing an IT balanced scorecard, an organization must:
A) deliver effective and efficient services.
B) define key performance indicators.
C) provide business value to IT projects.
D) control IT expenses.
A) alignment of the IT activities with IS audit recommendations.
B) enforcement of the management of security risks.
C) implementation of the chief information security officer's (CISO) recommendations.
D) reduction of the cost for IT security.
2. An IS auditor who is reviewing incident reports discovers that, in one instance, an important document left on an employee's desk was removed and put in the garbage by the outsourced cleaning staff. Which of the following should the IS auditor recommend to management?
A) Stricter controls should be implemented by both the organization and the cleaning agency.
B) No action is required since such incidents have not occurred in the past.
C) A clear desk policy should be implemented and strictly enforced in the organization.
D) A sound backup policy for all important office documents should be implemented.
3. During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization's operational risk documentation only contains a few broadly described IT risks. What is the MOST appropriate recommendation in this situation?
A) Create an IT risk management department and establish an IT risk framework with the aid of external risk management experts.
B) Use common industry standard aids to divide the existing risk documentation into several individual risks which will be easier to handle.
C) No recommendation is necessary since the current approach is appropriate for a medium-sized organization.
D) Establish regular IT risk management meetings to identify and assess risks, and create a mitigation plan as input to the organization's risk management.
4. The IT balanced scorecard is a business governance tool intended to monitor IT performance evaluation indicators other than:
A) financial results.
B) customer satisfaction.
C) internal process efficiency.
D) innovation capacity.
5. Before implementing an IT balanced scorecard, an organization must:
A) deliver effective and efficient services.
B) define key performance indicators.
C) provide business value to IT projects.
D) control IT expenses.
1. Right Answer: B
Explanation: The major benefit of implementing a security program is management's assessment of risk and its mitigation to an appropriate level of risk, and the monitoring of the remaining residual risks. Recommendations, visions and objectives of the auditor and the chief information security officer (CISO) are usually included within a security program, but they would not be the major benefit.The cost of IT security may or may not be reduced.
2. Right Answer: A
Explanation: An employee leaving an important document on a desk and the cleaning staff removing it may result in a serious impact on the business. Therefore, the IS auditor should recommend that strict controls be implemented by both the organization and the outsourced cleaning agency. That such incidents have not occurred in the past does not reduce the seriousness of their impact.Implementing and monitoring a clear desk policy addresses only one part of the issue. Appropriate confidentiality agreements with the cleaning agency, along with ensuring that the cleaning staff has been educated on the dos and don'ts of the cleaning process, are also controls that should be implemented. The risk here is not a loss of data, but leakage of data to unauthorized sources. A backup policy does not address the issue of unauthorized leakage of information.
3. Right Answer: D
Explanation: Establishing regular meetings is the best way to identify and assess risks in a medium- sized organization, to address responsibilities to the respective management and to keep the risk list and mitigation plans up to date. A medium-sized organization would normally not have a separate IT risk management department. Moreover, the risks are usually manageable enough so that external help would not be needed. While common risks may be covered by common industry standards, they cannot address the specific situation of an organization. Individual risks will not be discovered without a detailed assessment from within the organization. Splitting the one risk position into several is not sufficient.
4. Right Answer: A
Explanation: Financial results have traditionally been the sole overall performance metric. The IT balanced scorecard (BSC) is an IT business governance tool aimed at monitoring IT performance evaluation indicators other than financial results. The IT BSC considers other key success factors, such as customer satisfaction, innovation capacity and processing.
5. Right Answer: B
Explanation: A definition of key performance indicators is required before implementing an IT balanced scorecard. Choices A, C and D are objectives.
Explanation: The major benefit of implementing a security program is management's assessment of risk and its mitigation to an appropriate level of risk, and the monitoring of the remaining residual risks. Recommendations, visions and objectives of the auditor and the chief information security officer (CISO) are usually included within a security program, but they would not be the major benefit.The cost of IT security may or may not be reduced.
2. Right Answer: A
Explanation: An employee leaving an important document on a desk and the cleaning staff removing it may result in a serious impact on the business. Therefore, the IS auditor should recommend that strict controls be implemented by both the organization and the outsourced cleaning agency. That such incidents have not occurred in the past does not reduce the seriousness of their impact.Implementing and monitoring a clear desk policy addresses only one part of the issue. Appropriate confidentiality agreements with the cleaning agency, along with ensuring that the cleaning staff has been educated on the dos and don'ts of the cleaning process, are also controls that should be implemented. The risk here is not a loss of data, but leakage of data to unauthorized sources. A backup policy does not address the issue of unauthorized leakage of information.
3. Right Answer: D
Explanation: Establishing regular meetings is the best way to identify and assess risks in a medium- sized organization, to address responsibilities to the respective management and to keep the risk list and mitigation plans up to date. A medium-sized organization would normally not have a separate IT risk management department. Moreover, the risks are usually manageable enough so that external help would not be needed. While common risks may be covered by common industry standards, they cannot address the specific situation of an organization. Individual risks will not be discovered without a detailed assessment from within the organization. Splitting the one risk position into several is not sufficient.
4. Right Answer: A
Explanation: Financial results have traditionally been the sole overall performance metric. The IT balanced scorecard (BSC) is an IT business governance tool aimed at monitoring IT performance evaluation indicators other than financial results. The IT BSC considers other key success factors, such as customer satisfaction, innovation capacity and processing.
5. Right Answer: B
Explanation: A definition of key performance indicators is required before implementing an IT balanced scorecard. Choices A, C and D are objectives.
Comments
0
CA Foundation Business Economics Questions 2023 - Part 32
03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 31
03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 29
03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 28
03 Mar 2023
