Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community for help and clear up your study doubts
Discover the best universities in your country according to Docsity users
Free resources
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
An overview of enterprise data flow architecture, including the different layers such as the data source layer, data staging and quality layer, data access layer, and data preparation layer. It also covers key aspects of it governance, such as the roles and responsibilities of the it steering committee and it strategy committee, it risk management, it portfolio management, and the importance of aligning it objectives with business objectives. Various it controls, data integrity checks, and compliance requirements. It touches on topics related to enterprise architecture, it resource management, and the governance of it for the organization. The information presented could be useful for students studying information systems, data management, it governance, and related fields at the university level.
Typology: Exams
1 / 16
What does EGIT stand for? What is it's meaning? - CORRECT ANSWER Enterprise Governance of Information and Technology. It a system composed of stakeholders, board of directors, department managers, and internal customers who provide input into the IT decision making process. What are the three broad processes in the EGIT framework are: - CORRECT ANSWER 1. IT Resource Management - Focuses on maintainng an updated inventory of all IT resources and addresses the risk mgmt. process.
T/F: Strategic IS Planning involves considering, cost, benefit, and risk of implementing new technology. - CORRECT ANSWER True What are some common uses of Business Intelligence? - CORRECT ANSWER A) Legal Requirements, for businesses to understand what's occurring in there own business. B) Competitive advantage for Supply chain and other areas C) The increasing size and complexity of organizations. What are the two components which allow BI to operate effectively? - CORRECT ANSWER A) The enterprise data flow architecture B) A logical data architecture What are the layers/components of EDFA? - CORRECT ANSWER Enterprise Data Flow Architecture is composed of the following layers:
What is a data mart layer? - CORRECT ANSWER A subset of information in the DW that relates to a particular business system. What is the data staging and quality layer? - CORRECT ANSWER Layer responsible for data copying into the DW. Ensuring data is formatted properly before loaded into the DW. Needs to be flexible in case data changes like format of customer accounts for example. What is the data access layer? - CORRECT ANSWER Between the data source layer and the data staging layer. What is the data preparation layer? - CORRECT ANSWER Prepares data to be loaded into data marts. What is the metadata repository layer? - CORRECT ANSWER Metadata are data about data. This includes the purpose of systems of business that data moving through the architecture is involved in. What is the Warehouse management layer? - CORRECT ANSWER This layer is concerned with scheduling the transfer of data into the DW and Data marts. Also involved in security. What is the application messaging layer? - CORRECT ANSWER Layer concerned with transporting information between the various layers. Including business data, this layer encompasses storage and targeted communication of control messages. What is the internet/intranet layer? - CORRECT ANSWER Basic Data Communications like browser based user interfaces and TCP/IP protocol networking What is a context diagram? - CORRECT ANSWER A chart which outlines processes of an organization and external parties with which the organization interacts with. What is an activity or swim-lane diagram? - CORRECT ANSWER Give concise overview of business processes.
What is an entity relationship diagram? - CORRECT ANSWER Diagram which depicts data entities and how they relate. What is the purpose of implementing a business/IT advisory team in the area of BI funding governance? - CORRECT ANSWER To best ensure ROI and that areas are prioritized by need. Give some examples of EGIT frameworks. - CORRECT ANSWER 1. COBIT
How should IT Policies, Procedures, Programs, etc be driven? - CORRECT ANSWER From the top-down. What does the ISSC stand for? - CORRECT ANSWER Information Security Standards Commitee Which personnel make up the ISSC? - CORRECT ANSWER C-level executive management and senior managers from IT, HR, Audit and Legal. Why are audit senior managers required to be apart of the ISSC? - CORRECT ANSWER To ensure that that systems are auditable by ensuring logging and audit trails are in place. T/F: The IT Steering committee is involved in implementation of the Information Security Management Program. - CORRECT ANSWER True Which group is more focused on mitigating risk, IT Strategy Committee or the IT Steering Committee? - CORRECT ANSWER IT Strategy Committee What is the difference between Outsourcing and Vendors? - CORRECT ANSWER There is no difference. What does Media Management do in an organization? - CORRECT ANSWER Manage data storage on removable media. What is an RTU in a SCADA system? What is it's purpose? - CORRECT ANSWER Remote Terminal Unit. To make automated changes in response to activity in the SCADA system. What does a systems analyst specialize in? - CORRECT ANSWER In finding user's needs and creating requirements of systems to satisfy those needs. What are infrastructure staff responsible for? - CORRECT ANSWER Maintaining systems software. What is an IPF? - CORRECT ANSWER Information Processing Facility. Like a server or computer room.
T/F: logging is a control by itself. - CORRECT ANSWER False T/F An auditor can sometimes design an auditee's controls. - CORRECT ANSWER False What is remote logging, what is the purpose from a SoD point of view? - CORRECT ANSWER Remote logging is sending user logs to another authorized user so that the individual whose activity appears on the log cannot modify it. What is signature authorization log and it's purpose? - CORRECT ANSWER Log of authorizations given to users. Periodically user access should be compared with the log to ensure that access is appropriate. What are some methods to compensate for lack of SoD? - CORRECT ANSWER 1. Audit Trails
Corrective Manual or Automated Formal or Ad Hoc What levels does IT Risk Management need to work on? - CORRECT ANSWER Operational Level - Risk which affects the operation of IT Systems Project Level - Focuses on project objective completion. Strategic Level - How well IT capability is aligned with the business strategy. What is a CMM? - CORRECT ANSWER Capability Maturity Model. What would a 0 and a 5 be like according to the Capability Maturity Model? - CORRECT ANSWER A 0 would have no capabilities would lack governance. A 5 is a process which achieved it's purpose, is well defined, and measured to improve performance. What does ERM stand for? - CORRECT ANSWER Enterprise Risk Management What is IT Portfolio Management? - CORRECT ANSWER Managing of IT Resources by analyzing cost and benefit, risk of IT processes, roles and organizaitonal structure of IT Processes. What is employee bonding? - CORRECT ANSWER Document which states employee must work for a business for a certain amount of time. What should salary increases and promotions be based upon? - CORRECT ANSWER Performance What is a chargeback scheme? - CORRECT ANSWER Where the end user pays for services, allowing effectiveness and monitoring to be measured like in a marketplace. Who should be responsible for managing the Chargeback scheme? - CORRECT ANSWER CFO, user management, and IS management. What is an offsite IT function? - CORRECT ANSWER Function performed offsite but still in the same geographic region, also called nearshore.
T/F: Performing an analysis of an organizations Outsourcing policy a potential part of an IS Auditor's role. - CORRECT ANSWER True What is an SLA? Give an example. - CORRECT ANSWER Service Level Agreement. An example is an agreement on how much uptime a system should have. What is service delivery management? - CORRECT ANSWER Administration to ensure third party services are meeting delivery agreements. What is an IT BSC? What is it's purpose? - CORRECT ANSWER IT Balanced Score Card. Differs from the typical financial evaluation and measures organizational IT effectiveness by gathering feedback from users and customers measures ability to innovate. In an electronic funds transfer system should the user sending a message be able to verify their own message? - CORRECT ANSWER No Which part of an organization is focused on aligning IT objectives with business objectives? - CORRECT ANSWER IT Strategy Committee What is the IT Steering Committee focused on? - CORRECT ANSWER Project budget and goals. What is sociability testing? - CORRECT ANSWER Tests that confirm a new system can function with the environment. What is parallel testing? - CORRECT ANSWER Feeding test data into new system and the old to ensure the same results. Who determines the severity definitions prior to test planning? - CORRECT ANSWER Project sponsor, end-user management, and the project manager. T/F: Test planning occurs prior to implementation. - CORRECT ANSWER True What is cyclical checking? - CORRECT ANSWER Cycles of data integrity checking of data held in a system.
What is the difference between Relational integrity tests and Referential Integrity tests? - CORRECT ANSWER Relational integrity tests check data values in a table ensuring accuracy. Referential integrity tests evaluate if the relationship between two objects in different databases is correct. What is Atomicity in Data Integrity checking? - CORRECT ANSWER A transaction is either completed in entirety or not at all. What is Consistency in Data Integrity Checking? - CORRECT ANSWER Integrity conditions in the database are maintained with each transaction. Data integrity checking throughout the table change process. What is Isolation in Data Integrity Checking? - CORRECT ANSWER Each transaction is Isolated from other transactions. What is Durability in Data Integrity Checking? - CORRECT ANSWER If a transaction has been reported back to a user as complete, hardware or software changes to the database will not effect the previous change. Why is generalized audit software for determining which application tests to use?
What is governance all about? - CORRECT ANSWER High level personnel Who is most responsible for IT governance? - CORRECT ANSWER Directors What is first point of reference for an IS Auditor? - CORRECT ANSWER Approved policies To ensure policies are complying with legal requirements what should an organization do? - CORRECT ANSWER Have a periodic review of policy by a subject matter expert. Who has ownership over a project? - CORRECT ANSWER User management Which group is most likely to accept/reject a RFP of a new system? - CORRECT ANSWER Project Steering Committee An organization has a well-established risk management process. Which of the following risk management practices would MOST likely expose the organization to the greatest amount of compliance risk? a) Risk reduction b) Risk transfer c) Risk avoidance d) Risk mitigation - CORRECT ANSWER Risk transfer is correct. This typically addresses financial risk. For instance, an insurance policy is commonly used to transfer financial risk, while compliance risk continues to exist. Risk reduction is incorrect. This is a term synonymous with risk mitigation. Risk reduction lowers risk to a level commensurate with the organization's risk appetite. Risk reduction treats the risk, while risk transfer does not always address compliance risk. Risk avoidance is incorrect. This does not expose the organization to compliance risk because the business practice that caused the inherent risk to exist is no longer being pursued. Risk mitigation is incorrect. This will still expose the organization to a certain amount of risk. Risk mitigation lowers risk to a level commensurate with the organization's risk appetite. However, risk transference is the best answer because risk mitigation treats the risk, while risk transfer does not necessarily address compliance risk.
An IS auditor identifies that reports on product profitability produced by an organization's finance and marketing departments give different results. Further investigation reveals that the product definition being used by the two departments is different. What should the IS auditor recommend? a) User acceptance testing occurs for all reports before release into production b) Organizational data governance practices are put in place c) Standard software tools are used for report development d) Management signs-off on requirements for new reports - CORRECT ANSWER Organizational data governance practices are put in place is correct. This choice directly addresses the problem. An organization-wide approach is needed to achieve effective management of data assets and reporting standards. This includes enforcing standard definitions of data elements, which is part of a data governance initiative. User acceptance testing occurs for all reports before release into production is incorrect. Recommending that user acceptance testing occur for all reports before release into production does not address the root cause of the problem described. Standard software tools are used for report development is incorrect. Recommending standard software tools be used for report development does not address the root cause of the problem described. Management signs off on requirements for new reports is incorrect. Recommending that management sign off on requirements for new reports does not address the root cause of the problem described. Which of the following is the MOST important function to be performed by IT management when a service has been outsourced? a) Ensuring that invoices are paid to the provider b) Participating in systems design with the provider c) Renegotiating the provider's fees d) Monitoring the outsourcing provider's performance - CORRECT ANSWER Monitoring the outsourcing provider's performance is correct. In an outsourcing environment, the enterprise is dependent on the performance of the service provider. Therefore, it is critical that the outsourcing provider's performance bis monitored to ensure that services are delivered to the enterprise as required. Ensuring that invoices are paid to the provider is incorrect. Payment of invoices is a finance function, which would be completed per contractual requirements.
Participating in systems design with the provider is incorrect. Participating in systems design is a by-product of monitoring the outsourcing provider's performance. Renegotiating the provider's fees is incorrect. This is usually a one-time activity and is not as important as monitoring the vendor's performance. Which of the following should be of GREATEST concern to an IS auditor when reviewing an information security policy? The policy: a) is driven by an IT department's objectives. b) is published, but users are not required to read the policy. c) does not include information security procedures. d) has not been updated in over a year. - CORRECT ANSWER Is driven by an IT department's objectives is correct. Business objectives drive the information security policy, and the information security policy drives the selection of IT department objectives. A policy driven by IT objectives is at risk of not being aligned with business goals. Is published, but users are not required to read the policy is incorrect. Policies should be written so that users can understand each policy, and employees should be able to easily access the policies. The fact that users have not read the policy is not the greatest concern because they still may be compliant with the policy. Does not include information security procedures is incorrect. Policies should not contain procedures. Procedures are established to assist with policy implementation and compliance. Has not been updated in over a year is incorrect. Policies should be reviewed annually, but they might not necessarily be updated annually unless there are significant changes in the environment such as new laws, rules or regulations. Establishing the level of acceptable risk is the responsibility of: a) quality assurance management. b) senior business management. c) the chief information officer. d) the chief security officer. - CORRECT ANSWER Senior business management is correct. Senior management should establish the acceptable risk level because they have the ultimate or final responsibility for the effective and efficient operation of the organization as a senior manager of the business process. The
person can be the quality assurance (QA), chief information officer (CIO), or the chief security officer (CSO), but the responsibility rests with the business manager. Quality assurance management is incorrect. QA is concerned with reliability and consistency of processes. The QA team is not responsible for determining an acceptable risk level. The chief information officer is incorrect. The establishment of acceptable risk levels is a senior business management responsibility. The CIO is the most senior official of the enterprise who is accountable for IT advocacy; aligning IT and business strategies; and planning, resourcing and managing the delivery of IT services, information and the deployment of associated human resources. The CIO is rarely the person that determines acceptable risk levels because this could be a conflict of interest unless the CIO is the senior business process owner. The chief security officer is incorrect. The establishment of acceptable risk levels is a senior business management responsibility. The CSO is responsible for enforcing the decisions of the senior management team unless the CIO is the business process manager. A business unit has selected a new accounting application and did not consult with IT early in the selection process. The PRIMARY risk is that: a) the security controls of the application may not meet requirements. b) the application may not meet the requirements of the business users. c) the application technology may be inconsistent with the enterprise architecture. d) the application may create unanticipated support issues for IT. - CORRECT ANSWER The application technology may be inconsistent with the enterprise architecture is correct. The primary focus of the enterprise architecture (EA) is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization. The EA defines both a current and future state in areas such as the use of standard platforms, databases or programming languages. If a business unit selected an application using a database or operating system that is not part of the EA for the business, this increases the cost and complexity of the solution and ultimately delivers less value to the business. The security controls of the application may not meet requirements is incorrect. Although security controls should be a requirement for any application, the primary focus of the EA is to ensure that new applications are consistent with
enterprise standards. Although the use of standard supported technology may be more secure, this is not the primary benefit of the EA. The application may not meet the requirements of the business users is incorrect. When selecting an application, the business requirements and the suitability of the application for the IT environment must be considered. If the business units selected their application without IT involvement, they are more likely to choose a solution that fits their business process the best with less emphasis on how compatible and supportable the solution will be in the enterprise, and this is not a concern. The application may create unanticipated support issues for it is incorrect. Although any new software implementation may create support issues, the primary benefit of the EA is ensuring that the IT solutions deliver value to the business. Decreased support costs may be a benefit of the EA, but the lack of IT involvement in this case would During an audit, which of the following situations are MOST concerning for an organization that significantly outsources IS processing to a private network? a) The contract does not contain a right-to-audit clause for the third party. b) The contract was not reviewed by an information security subject matter expert prior to signing. c) The IS outsourcing guidelines are not approved by the board of directors. d) There is a lack of well-defined IS performance evaluation procedures. - CORRECT ANSWER The contract does not contain a right-to-audit clause for the third party is correct. Lack of a right-to-audit clause in the contract impacts the IS auditor's ability to perform the IS audit. Hence, the IS auditor is most concerned with such a situation. In the case of outsourcing to a private network, the organization should ensure that the third party has a minimum set of IT security controls in place and that they are operating effectively. The contract was not reviewed by an information security subject matter expert prior to signing is incorrect. Having an information security subject matter expert review a contract is a good practice, but it is not a requirement in all industries. The IS outsourcing guidelines are not approved by the board of directors is incorrect. Approval of the IS outsourcing guidelines by the board is a good practice of governance, and lack of approval is an audit issue. However, it does not impact the IS auditor's ability to perform IS audit. There is a lack of well-defined IS performance evaluation procedures is incorrect. Lack of well-defined procedures does not enable objective evaluation of IS
performance and is an audit issue. However, it does not result into major risk or repercussions and also does not impact the IS auditor's ability to perform an IS audit. Which of the following does an IS auditor consider the MOST relevant to short- term planning for an IT department? a) Allocating resources b) Adapting to changing technologies c) Conducting control self-assessments d) Evaluating hardware needs - CORRECT ANSWER Allocating resources is correct. The IT department should specifically consider the manner in which resources are allocated in the short term. The IS auditor ensures that the resources are being managed adequately. Adapting to changing technologies is incorrect. Investments in IT need to be aligned with top management strategies rather than be relevant to short-term planning and focus on technology for technology's sake. Conducting control self-assessments is incorrect. This is not as critical as allocating resources during short-term planning for the IT department. Evaluating hardware needs is incorrect. This is not as critical as allocating resources during short-term planning for the IT department. Which of the following is the BEST reference for an IS auditor to determine a vendor's ability to meet service level agreement (SLA) requirements for a critical IT security service? a) Compliance with the master agreement b) Agreed-on key performance metrics c) Results of business continuity tests d) Results of independent audit reports - CORRECT ANSWER Agreed-on key performance indicators is correct. Key performance indicators are metrics that allow for a means to measure performance. Service level agreements (SLAs) are statements related to expected service levels. For example, an Internet service provider (ISP) may guarantee that their service will be available 99.99 percent of the time. Compliance with the master contract is incorrect. The master contract typically includes terms, conditions and costs but does not typically include service levels.
Results of business continuity tests is incorrect. If applicable to the service, results of business continuity tests are typically included as part of the due diligence review. Results of independent audit reports is incorrect. Independent audits report on the financial condition of an organization or the control environment. Reviewing audit reports is typically part of the due diligence review. Even audits must be performed against a set of standards or metrics to validate compliance.