[AISSOC] - Q2 Managing Information and Technology.pdf

Full Transcript

AIS 5131 - MANAGING INFORMATION AND TECHNOLOGY
Chapter 1: IT Governance and IT Strategy - Automation of basic high-volume
- Part C activities
- Enterprise resource planning (ERP)
Business Intelligence (BI) system, a significant organization-wide
investment, is now a commonplace
Broad – field of IT that encompasses; - Investment in internet technology to
Collection and analysis of information to distribute product & services and for
assist; supply chain integration
Decision making and assess the - Use of IT represents a new opportunity to
organizational; use technology to have advantage over
Performance – the one being assessed competitors
- To maintain & extend a business’
Areas where BI is applied: knowledge and capital
Applied to enhance a variety of business questions
for measurement and analysis include: To effectively deliver BI, organizations need to design
Process cost, efficiency and quality and implement a data architecture
Customer satisfaction (with product & service Complete data architecture components:
offering) The enterprise data flow architecture
Customer profitability (including which (EDFA)
attributes are useful predictors of customer A logical data architecture
profitability) A business or per department structure
Achievement of key performance indicators
(from the staff & business achievement unit)
Risk management Layers/Components of Enterprise Data Flow
Architecture (EDFA)
Factors which increased interest in BI:
As a distinct field of study/IT activities, it would: 1) Presentation/Desktop Access Layer
a) Increasing size and complexity of modern ★ THE TOP MOST LAYER
organizations Where end users directly deal with information
- Fundamental business questions need BI Includes desktop tools (e.g., spreadsheets),
capability direct querying tools, reporting and analysis
- The result is that even fundamental suites and purpose-built applications (e.g.,
business questions cannot be properly balance scorecards – BSCs, digital
answered without establishing serious BI dashboards)
capability Power users: have the ability build own
queries and reports
b) Legal requirements - Users that have greater access aka admin
- Legislation: enforces the need of users
companies to understand the “whole of Other regular/normal users: interact with
business” data in predefined ways
- Financial institutions: must report on all
accounts/instruments of customers and 2) Data Source Layer
all related transactions against those ★ THE LOWEST LAYER
accounts/instruments (including any Sources of information: operational data,
suspicious transaction patterns) external data and nonoperational data

c) Pursuit of competitive advantage 3) Core Data Warehouse (DW)
 Where the all/majority data of interest to an 8) Metadata Repository Layer
organization, are captured and organized for Metadata are the data about data
reporting and analysis Metadata later: should be comprehensive in
Normally instituted as a large relational scope
database (e.g., key information of a student) - Covering data as they flow between various
DW: should hold normalized data for flexibility layers which include documenting,
in dealing with complex and changing transformation, and validation rules
business structures Information in the metadata layer:
Normalized data – a clean data with Needs to extend beyond data structure
specific and standard structure names and formats to provide detail on
business purpose & context
4) Data Mart Layer
Can be directly sourced by software
Data marts: represents subsets information
operating in the other layers
from the core DW, which are selected and
EXAMPLES OF METADATA:
organized to meet business unit or business
File name
line needs (e.g., multi-purpose hall)
File size
➔ may be relational databases or online
Creation/modification date
analytical processing (OLAP) data
Attributes, i.e. hidden, read-only, system
structure aka data queue
Owner
➔ simplified structure compared to the
Permissions
normalized DW
9) Warehouse Management Layer
5) Data Staging and Quality Layer For scheduling of the tasks necessary to build
Data copying, transformation into DW format & maintain the DW and data mart layers
and quality control Administration of security
Reliable data: get loaded to the core DW
10) Application Messaging Layer
Data staging and quality layer: needs to deal
Transporting information between the various
with problems that are periodically thrown-up
layers
by operational systems such as changes to
Encompasses generation, storage and
account number formats and reuse of old
targeted communication of control messages
account and customer numbers (when DW still
holds up original information of the entity) 11) Internet/intranet layer
Basic data communication
6) Data Access Layer
Browser-based user interfaces and
Connect the data storage and quality layer
Transmission Control
with data stores in the data source layer
Protocol/Internet Protocol (TCP/IP) networking
7) Data preparation layer
Assembly and preparation of data for loading Logical Data Architecture
into data marts A major undertaking that would normally be
Usual practice: pre-calculate the values undertaken in stages
loaded into OLAP data repositories to Reason for separating logical data model
increase access speed determination by business domain: different
Specialist data mining: requires preparation parts of organizations often deal with different
of data transaction sets, customers and products
Data (feed) mining: explores large volumes
data to determine patterns and trends of Data Architecture
information
 Needs to be structured to accommodate the Important parts of the governance process
needs of the organization most efficiently involve:
Factors to consider include: ➔ BI initiatives to fund
a) Types of transactions in which the ➔ Priorities to initiatives
organization engages ➔ Measuring ROI of initiatives
b) The entities that participate in these These parts are important because of the large
transactions (e.g., customers, products, investment for BI infrastructure
staff & communication channels) Scope: DW must be built in stages
c) The dimensions important to the business Recommended practice: establish a
- Dimension Hierarchies (e.g., product & business/IT advisory team that:
organization hierarchy) - Allows different functional perspectives to be
represented
Data Warehouses (DWs) - Recommends investment priorities
Storage capacity: not an issue - Establishes cross organizational benefit
Goal: obtain the most granular or atomic data measures
possible Final funding decisions: should rest by a
Lowest level of data (attributes used for analysis technology steering committee (comprised by a
purposes that can possibly be lost) vs. senior management)
summarized data
Data governance is important part of overall BI
governance
Aspects to be considered here include:
Various Analysis Models used by Data
Establishing standard definitions for data,
Architects/Analysts
business rules and metrics
a) Context diagrams
Identifying approved data sources
Outline the major processes of the
Establishing standards for data
organization and the external parties with
reconciliation and balancing
which the business interacts
b) Activity or swim-lane diagrams
Deconstruct business processes Chapter 2: IT-Related Frameworks
c) Entity relationship diagrams
Depict data entities and how they relate Introduction on EGIT Framework

❖ Data analysis methods: important in developing Fail or succeed? Based on how they approach
enterprise data model and use technology
❖ Knowledgeable business operatives (skilled EGIT frameworks: developed to help enterprise
individuals) need to be involved in the process: leaders protect the integrity of their enterprise’s
1) For proper understanding of the business information assets and deliver value to
purpose and context of the data stakeholders
2) For mitigating the risk of the replication of Frameworks: help organizations address
suboptimal data configurations from existing business issues through governance and
systems and-databases into the DW management of information and technology, by
aligning high-level strategic objectives with
operational objectives and direct work outcomes
DATA GOVERNANCE Key to maximizing value: consider EGIT
synergistically in the overall enterprise
Effective data governance process: needed, to
governance hierarchy.
maximize the value of an organization obtained
from BI initiatives
 EXAMPLES OF EGIT FRAMEWORK 5. ISO/IEC 38500:2015: Information technology—
Governance of IT for the organization
1. Control Objectives for Information and Related Provides guiding principles for governing
Technology (COBIT) bodies of organizations on the effective,
Developed by ISACA to support EGIT as it; efficient and acceptable use of IT within an
Provides a framework to ensure that: organization
a) IT is aligned with the business
b) IT enables the business and maximizes 6. ISO 3100:2018: Risk Management-Guidelines
benefits Provides guidelines on and a common
c) IT resources are used responsibly approach to risk management for
d) IT risk is managed appropriately organizations
Provides tools to assess and measure the
performance of IT processes within an 7. ISO/IEC 20000
organization Specification for service management aligned
with ITIL’s service management framework
2. International Organization for Standardization Two parts:
(ISO)/ International Electrotechnical Commission a) ISO/IEC 20000-1:2018 - specific
(IEC) 27000 Series requirements for service management
It is a set of best practices that provides improvement
guidance for implementing and maintaining b) ISO/IEC 20000-2:2012 - guidance and
information security programs examples for the application of ISO/IEC
ISO/IEC 27001: well-known standard in the 20000-1:2018
industry; provides requirements for
Information Security Management System
Chapter 3: IT Standards, Policies, and
3. Information Technology Infrastructure Library Procedures
(ITIL®)
Developed by the UK Office of Government Various definitions
Commerce (OGC), in partnership with the IT Definitions to be used: according with major
Service Management Forum standard bodies
Detailed framework with hands-on information Policies: tools for governance; standards: tools
on how to achieve successful operational for management
service management of IT Procedures and guidelines: cover or influence
Includes business value delivery the operations

4. The Open Information Security Management STANDARDS
Maturity Model (O-ISM3) Standard: a mandatory requirement, code of
Process-based ISM (Information Security practice or specification approved by a
Management) maturity model or framework for recognized external standards organization
security Professional standards: standards issued by
Assists Information Security Heads to assess professional organizations, such as ISACA,
their operating environment and to devise a PICPA and IMA, with related guidelines and
plan on their security management activities, techniques that assist the professional in
so they are aligned and with cost effective to implementing & complying with other standards
the organization’s business objectives
Strong Standards
- Necessary in current fast-moving
environments
 - Help ensure effectiveness and reliability of Role of IT Auditors in Policies
products and services IT Auditors:
- Necessary to the trust and effectiveness for ➔ should understand policies are part of audit
growth scope
- Updated as needed, to ensure/address the ➔ should test policies for compliance
latest thinking & technology IS controls should flow from the enterprise’s
policies
POLICIES IS auditors should use policies as benchmark or
Policies: high-level statements of management reference point for evaluating
intent, expectations and direction performance/compliance
Well-developed, High-level Policies in a Polices that hinder achievement of
mature organization: can remain fairly static for objectives: must be identified and reported for
extended periods improvement
Example of policy statement (on access control): Other considerations by the IS Auditor:
“Information resources shall be controlled in a Application of policies to third parties or
manner that effectively prevents unauthorized outsourcers
access.” Compliance of third parties or outsourcers
Policies: considered as the “constitution” of to policies
governance; aligned with strategic objectives Conflict of third parties’ or outsourcers’
Corporate policies: set the tone for the policies with the enterprise’s policies
organization as a whole
Lower-level policies: INFORMATION SECURITY POLICY
➔ For individual divisions and departments Information security policy: rules and/or
➔ Consistent with the corporate level statements developed by an organization to
policies protect its Information and related Technology
➔ Apply to the employees and operations of
the individual divisions and departments; Security policy for IT:
focus at the operational level - helps guide behaviors
- first step in building the security infrastructure
Review of Policies for technology-driven organizations
Management: review all policies periodically
Policies: set what tools and procedures are
Reviewed documents: have a review date
needed for the organization
- IS Auditors should ensure that the review
Information security policies: balance the level
dates should be as current as possible
of control and productivity/efficiency
Policies: updated to reflect new technology,
Cost of control: never exceed the benefit
changes in environment (regulatory compliance
Organizational culture: plays an important role
requirements), and significant changes in
business processes in exploiting IT for efficiency Information security policy:
and effectiveness in productivity or competitive ➔ Must be approved by senior management
gain ➔ Documented and communicated to all
Policies formulated: support achievement of employees, service providers and business
business objectives and implementation of IS partners
controls
Information security policy: reference
Broad at the higher-level and detailed
framework by IS auditors in doing audit
policies of the lower-level: should be aligned
assignments
with business objectives
Adequacy and appropriateness of the security
policy: also, an area of review for IS auditors
 Information security policy: state Information security policy: be communicated
management’s commitment and set out the throughout the organization; form or method
organization’s approach to managing information accessible and understandable to the intended
security Information security policy:
ISO/IEC 27001 (on Information Security ➔ Might be part of a general policy document
Management System) and 27002 (on ➔ May be distributed to third parties and
Information Security Controls): may be outsourcers; but not disclose sensitive
considered a benchmark for information security organizational information
policy document
Employees or Third Parties
Elements of a Policy Document Have access to information assets
1) Definition of information security Required to sign off to comply with the
- Its overall objectives and scope and the information security policy; time hired or
importance of security as an enabling contracted; on a regular basis thereafter
mechanism for information sharing (e.g., annually) to account for policy
changes over time
2) Statement of management intent
- Reporting the goals and principles of Organizations may document information security
information security in line with the business policies as a set of policies
strategy/objectives
Policy Concerns that are Addressed (or
3) Framework for setting control objectives and Parts/Groups of a Policy Document):
controls, a) High-level information security policy –
- Including the structure of risk assessment statements of confidentiality, integrity and
and management availability
4) Brief explanation of the information security b) Data classification policy – describes
policies, principles, standards and compliance classifications, levels of control
requirements including: responsibilities of all potential users
➔ Compliance with legislative, regulatory - Confidential or restrictive information,
and contractual requirements integrity impact, availability impact (high
➔ Information security education, training or low)
and awareness requirements
c) Acceptable use policy – comprehensive;
➔ Business continuity management
includes information for all information
➔ Consequences of information security
resources (hardware, software, networks,
policy violations
internet, etc.); describes the permissions for
5) Definition of general and specific the usage of IT resources
responsibilities for information security
d) End-user computing policy – describes
management
parameters and usage of tools by users
- Including reporting information security
incidents e) Access control policies – describe method
for defining and granting access to users for
6) References to documentation that may
various IT resources
support the policy
- More detailed security policies, standards,
and procedures for specific information REVIEW OF INFORMATION SECURITY
systems or security rules which users could POLICY
comply Information security policy should be reviewed:
(For its continuing suitability & adequacy, and
effectiveness)
 At planned intervals (usually annually) or OUTPUT from management review should
When significant changes to the enterprise, include any decisions or actions related to:
operations or security-related risk occurs a) Improvement in the alignment of information
Information security policy should have an owner security with business objectives
who has approved management responsibility for b) Improvement of the organization’s approach
the development, review and evaluation of the to managing information security and its
policy processes
The review should include assessing: c) Improvement of control objectives and control
➔ opportunities for improvement to d) Improvement in the allocation of resources
organization IT security policy and/or responsibilities
➔ approach to managing information security
Maintain management reviews
in response to the changes to the
Obtain management approval for the revised
organizational environment, business
policies
circumstances, and legal
Review performed by management to address
provisions/requirements, or technical
changes in environmental factors
environment
Maintenance of the information security While reviewing the policies, the IS Auditor
policy: consider results of reviews needs to assess the following:
There should be defined management review 1) Basis on which the policy has been defined
procedures (including a schedule or period of - Generally based on a risk-management
review) process
2) Appropriateness of policies
INPUT to the management review should
3) Contents of policies
include:
4) Exceptions to the policies
1) Feedback from interested parties
- Clearly taking note on which areas the
2) Results of independent reviews
policies do not apply and why (Password
3) Status of preventive, detective and corrective
policies may not apply with Legacy
actions
applications/system)
4) Results of previous management reviews
5) Policy approval process
5) Process performance and information security
6) Policy implementation process
policy compliance
7) Effectiveness of implementation of policies
6) Changes that could affect the organization’s
8) Awareness and training
approach to managing information security,
9) Periodic review and update process
including changes to the:
A. Organizational Environment,
PROCEDURES
B. Business Circumstances,
Documented, defined steps for achieving policy
C. Resource Availability
objectives
D. Contractual, Regulatory, or Legal
Derived from the parent policy
Conditions
Implement the spirit/intent of the policy
E. Technical Environment
statement
7) Use of outsourcers or offshore of IT or
Written in a clear and concise manner, so they
business functions
may be easily and properly understood by those
8) Trends related to threats and vulnerabilities
governed by them
9) Reported information security incidents
Document business and aligned IT processes
10) Recommendations provided by relevant
and the embedded controls
authorities
 Formulated by process owners as an effective Additional Notes:
translation of policies
Procedures: more dynamic than their respective What is Business Intelligence (BI)?
parent policies - About delivering relevant & reliable information
➔ must reflect the regular changes and align IT to the right people at the right time, with the
focus and environment goal of achieving better decisions faster
Frequent reviews and updates: essential, if they - Requires methods & programs to collect &
are to be relevant structure data, convert it into information, and
present it to improve business decisions
IS Auditor’s Role - It provides a vast amount of data generated by
IS auditors: review procedures to business and present in a meaningful &
identify/evaluate and test controls over IT actionable way
processes - Accurate, understandable, and actionable
Evaluation of controls: ensures fulfillment information on demand
of control objectives while making process - Offers a significant advantage when trying to
efficient and practicable make strategic decisions
Documented procedures do not match Anytime access to organized data
with operational practices or do not exist: ➔ Easy discovery of inefficient business
difficult to identify controls and ensure their processes & hidden patterns
operations ➔ Identify areas of strength & weakness
➔ Discover new opportunities
People Governed by Procedures It is actually a large & complex field which
People governed by procedures: should includes:
know well the procedures - Performance management
Procedure not thoroughly known by the - Analytics
personnel who are to use it: ineffective - Predictive modeling
Attention/focus: deployment methods and - Data & test mining, etc.
automation of mechanism of IT procedures ON A RETAIL POINT-OF-VIEW: Having the power to
run analytical reports on massive amounts of
GUIDELINES customer information which can enable you to
Used for executing procedures understand:
Responsibility of operations How loyal they are to your brand
Should contain information helpful to executing What products they buy & how frequently
procedures If they have a preference for visiting the store or
Can include: buying from the online store
a) Clarification of policies and standards - It also gives you the ability to understand an
b) Dependencies individual customer or segment’s needs,
c) Suggestions and Examples preferences, and habits
d) Narrative clarifying the procedures - Anticipate new opportunities to sell
e) Background information that may be useful - Deliver better service
f) Tools that can be used - Provide targeted marketing campaigns
- Better understanding of customers based on
Can be useful in other circumstances; but
their historical transactions & behavior;
considered here in the context of information
utilizing the information to increase sales or
security governance
differentiate your brand by providing
better/unique services
 With the emergence of BI, companies no longer: Data Mining – defining/discovering the
Dig through complex webs of linked patterns from the data that are stored in the
spreadsheets data warehouse
Analyzing data manually and mashing together - Helps analyze data from many different
reports dimensions; categorize & summarize the
relationships
Data Warehouse Architecture - A process of finding correlation of patterns
I. Data Warehouse: is a collection of data from among the fields in a large relational
various data sources of an organization (e.g., database
sales, inventory, marketing, and the systems - GOAL: to extract the information from a data
data, and other data from third-party sources) set and transform it into an understandable
structure for use
II. Data is then extracted into the DW Staging Area
- The generated information can be used to
using the ETL tools; having one staging area
cut costs, increase productivity in some
makes it easier for the ETL tools, subsequent
regions
data processing, and data transformation
- ETL = Extract Transforming Load
COBIT and ITIL
III. Transferring all the data to a DATA WAREHOUSE COBIT 5 and ITIL are complementary
Metadata – the data about data & one of the frameworks; you cannot choose one over the
most important aspects of the data warehouse other
- It helps data warehouse analyze, Common concerns/Shared interests of COBIT &
identify, and find out what data is in the ITIL
warehouse & where it is actually stored - both frameworks describe a number of
(for the effective & efficient use of data) processes that should be established by a
Summary data – form a part of data for query well-run enterprise
purposes - In some cases, a COBIT process maps
Usually loaded from ETL tools in batches directly onto an ITIL process
Not real-time data in the warehouse COBIT – describes what should be done
Raw data ITIL – describes how to do it

IV. PRESENTATION LAYER – using an interface to ITIL
gather information from data warehouse & present I.T. is the prime focus
it in a way to make further decision It recognizes the primacy of the business
OLAP (online analytical processing) – an It emphasizes that IT exists to support the
approach to answering the multi-dimensional business but the bulks of its advice relate to
analytical queries from multiple process matters internal to IT
perspectives COBIT
It consists of 3 analytical operations: Has the whole enterprise as its concern
1. Consolidation/Roll-up (enterprise perspective)
2. Drill-down It also advices on IT related issues but it also
3. Slicing & dicing recognizes that those issues are not limited to IT
Reporting – using the generate from the professionals
warehouse to understand how the business It is a whole enterprise framework
has been doing, how it will do in the future, and
what we can do to improve the business IMPORTANT CHARACTERISTICS OF COBIT &
ITIL
★ COBIT and ITIL are both frameworks
 - They both provide guidance that an - Complete 5 Assessments are based on
enterprise can draw on to devise solutions capability rather than maturity
that are appropriate to its unique situation - On objective scoring mechanism
- Neither provides an implementation
blueprint, a recipe book IT GOVERNANCE – ISO 38500:2008
Provide guiding principles for directors of
★ Both are based on real-world experiences
companies on the effective, efficient, and
- Confidence that they will be able to provide
acceptable use of Information Technology (IT)
practical advice, that they will work
within their organization
- Based on experiences drawn from a wide
range of enterprises The purpose of this International Standard is to
★ Both can be used by any type or size of promote effective, efficient, and acceptable use
enterprise of IT in all organizations by
- Commercial, Non-profit, and Government Manage the IT investments properly
organizations both large & small, and Improve the performance of the organization
enterprises operating in many different Improve project governance
countries Improve the competitive position of the
organization
★ Over the last 10 or more years, ITIL has been Minimize IT risks
adopted by a large of organizations that were Assure greater project success rates
seeking to improve their IT services
- It’s probably to say that it has had much 5 Facts on ISO 31000: Risk Management
greater market penetration than COBIT 1) Promotes a safer workplace & enhanced
- Many (in fact most) organizations will start compliance
with ITIL 2) Universal set of guidelines on risk
management
★ COBIT can drive even more improvement
3) It has 3 main sections: Principles, Framework,
- It provides a means/supports auditing and
and Process
evaluation of IT activities in a rigorous
4) Sections make up the ISO 31000 guideline
objectives and repeatable way
5) Use the guideline to form a risk management
- There is no equivalent existence/sanctioned
program
means of evaluating ITIL service
management practices
ISO 20000: The International Standard for Service
- A number of independent service
Management
management consultancies have developed
➔ ISO/IEC 20000 is the international ITSM (IT
assessment services, but they are
service management) standard. It enables IT
proprietary & not necessarily built upon
departments to ensure that their ITSM processes
objective foundations
are aligned with the business’s needs and
★ COBIT is designed to be auditable international best practices.
- Processes, practices, inputs and outputs are
The ISO 20000 standard helps organizations
all given unique identifiers
benchmark how they deliver managed services,
- Interfaces between processes are defined
measure service levels and assess their
explicitly
performance. It is broadly aligned with and draws
★ COBIT comes with an assessment framework strongly on ITIL®.
than includes:
- A training and certification scheme for ITIL and ISO 20000
assessors to ensure rigor and objectivity ★ ISO 20000 and ITIL have a close relationship.
➔ ITIL provides advice on ITSM best practices,
including options adopted and adapted by
organizations according to business needs,
local circumstances, and the service
provider’s maturity.
➔ ISO 20000, meanwhile, sets the standards
that service management processes should
aim for. Organizations can achieve
independently audited certification to the
Standard to demonstrate that they are
following best practices.
 SHORT ASSESSMENT:

1. The following are factors which increased interest in Business Intelligence (BI)I:
a) Increasing size and complexity of earlier organizations
b) Legal requirements
c) Pursuit of competitive disadvantage
d) None of the above

2. Referred to as the data about data:
a) Data
b) Security data
c) Metadata
d) Entity data

3. These are developed to help enterprise leaders protect the integrity of their enterprise’s information
assets and deliver value to stakeholders.
a) Accounting frameworks
b) BI frameworks
c) Marketing frameworks
d) EGIT frameworks

4. Provides guidelines on and a common approach to risk management for organizations.
a) ISO 3100:201
b) ISO/IEC 38500:2015
c) ISO/IEC 20000-1:2018
d) ISO/IEC 20000-2:2012

5. High-level statements of management intent, expectations and direction, and are considered as the
“constitution” of governance.
a) Policies
b) Regulations
c) Standards
d) Rules

6. INPUT to the management review should include:
a) Process performance and information security policy compliance
b) Status of preventive, detective and corrective actions
 c) Recommendations provided by relevant authorities
d) All of the above

7. Which statement regarding information security policies is most correct?
a) Reference framework by IS auditors in doing managerial assignments
b) Documented and communicated exclusively to the senior management and high-rankings
officials
c) Mandatory requirement, code of practice or specification approved by a recognized external
standards organization
d) Rules and/or statements developed by an organization to protect its Information and related
Technology

8. These are documented, defined steps for achieving policy objectives that are formulated by
process owners as an effective translation of policies
a) Regulations
b) Policies
c) Procedures
d) Rules

9. An IS Auditor’s role which ensures fulfillment of control objectives while making process efficient
and practicable
a) Evaluation of business objectives
b) Evaluation of controls
c) Evaluation of policies
d) Evaluation of frameworks

10. Which of the following should be included in a set of guidelines?
a) Dependencies
b) Clarification of policies and regulations
c) Background information that may be irrelevant
d) Narrative clarifying the frameworks

11. A broad field of IT that involves the collection and analysis of information to assist in
decision-making and assessment of organizational performance.
a) Business Intelligence
b) Artificial Intelligence
c) Process Integration
 d) Strategic Planning

12. Connects the data storage and quality layer with data stores in the data source layer
a) Data preparation layer
b) Data mart layer
c) Data access layer
d) Data staging and quality layer

13. A diagram which outlines the major processes of the organization and the external parties with
which the business interacts
a) Activity diagrams
b) Swim-lane diagrams
c) Context diagrams
d) Entity relationship diagrams

14. As part of the recommended practices in data governance, an organization should establish a
business/IT advisory team that:
a) Allows exclusive functional perspectives to be represented
b) Recommends investment priorities
c) Establishes limited organizational benefit measures
d) None of the above

15. Who developed the Control Objectives for Information and Related Technology (COBIT) to support
EGIT?
a) PICPA
b) ISACA
c) OGC
d) ISO

16. Which of the following statements about strong standards is most correct?
a) Necessary in current slower-paced environments
b) Help ensure effectiveness and reliability of services and frameworks
c) Necessary to the trust and effectiveness for growth
d) Update quarterly, to ensure/address the latest thinking & technology
17. Which of the following statements regarding the Senior Management is correct?
a) They are most accountable and responsible
b) Responsible for its discharge through the executive management and the organization and
resources under his/her charge
c) Should come from varied operations and staff functions to ensure fair representation
d) Accountable to the BOD for information security governance

18. If the IT Auditor finds policies that hinder the achievement of objectives, they should:
a) Identify and report these policies for improvement
b) Identify and re-write these policies accordingly
c) Take note of these policies and leave them be
d) None of the above

19. Information security policies should be reviewed:
a) For its continuing suitability & adequacy, and effectiveness
b) Reviewed only as needed
c) When insignificant changes to the enterprise, operations or security-related risk occurs
d) To include opportunities for improvement to standard frameworks

20. The top most layer of the Enterprise Data Flow Architecture (EDFA) and is where end-users directly
deal with information
a) Data Source Layer
b) Metadata Repository Layer
c) Application Messaging Layer
d) Presentation/Desktop Access Layer
 ANSWER KEY:

1. B 6. D 11. A 16. C

2. C 7. D 12. C 17. C

3. D 8. C 13. C 18. A

4. A 9. B 14. B 19. A

5. A 10. A 15. B 20. D

References:
ISACA. (2019). CISA review manual (27th ed.).
Benchmark ESG. (n.d.). 5 Facts on ISO 31000: Risk Management [Video]. YouTube.
https://www.youtube.com/watch?v=YsLvyfd0b6s

ECC International. (2019, October 7). ISO 38500: IT governance in the Philippines.
https://eccinternational.com/consulting/information-technology-excellence/it-governance-iso-385002008/#secti
on01

Hitachi Solutions Canada. (n.d.). What is Business Intelligence (BI)? [Video]. YouTube.
https://www.youtube.com/watch?v=hDJdkcdG1iA

IT Governance. (n.d.). ISO 20000 | International IT service management standard | IT governance UK. IT Governance
- Governance, Risk Management and Compliance for Information Technology.
https://www.itgovernance.co.uk/iso20000

Itiltraining. (n.d.). COBIT and ITIL [Video]. YouTube. https://www.youtube.com/watch?v=crvMqsdGE1g&t=2s

Open information security management maturity model (O-ISM3). (2011, February). ComputerWeekly.com.
https://www.computerweekly.com/ehandbook/Open-Information-Security-Management-Maturity-Model-O-ISM3

Takkar, V. (n.d.). 2 - Data warehouse Architecture Overview [Video]. YouTube.
https://www.youtube.com/watch?v=8lHpioyvSng