AIS 5131 - Managing Information and Technology Past Paper PDF

Document Details

LushPipa

Uploaded by LushPipa

University of Santo Tomas

Tags

business intelligence data architecture information technology it governance

Summary

This document discusses Business Intelligence (BI), and its use in modern organizations. It also includes the elements of data architecture like the Enterprise Data Flow Architecture and different layers such as the Presentation/Desktop Access Layer, Data Source Layer, and Core Data Warehouse.

Full Transcript

AIS 5131 - MANAGING INFORMATION AND TECHNOLOGY Chapter 1: IT Governance and IT Strategy - Automation of basic high-volume - Part C activities...

AIS 5131 - MANAGING INFORMATION AND TECHNOLOGY Chapter 1: IT Governance and IT Strategy - Automation of basic high-volume - Part C activities - Enterprise resource planning (ERP) Business Intelligence (BI) system, a significant organization-wide investment, is now a commonplace Broad – field of IT that encompasses; - Investment in internet technology to Collection and analysis of information to distribute product & services and for assist; supply chain integration Decision making and assess the - Use of IT represents a new opportunity to organizational; use technology to have advantage over Performance – the one being assessed competitors - To maintain & extend a business’ Areas where BI is applied: knowledge and capital Applied to enhance a variety of business questions for measurement and analysis include: To effectively deliver BI, organizations need to design Process cost, efficiency and quality and implement a data architecture Customer satisfaction (with product & service Complete data architecture components: offering) The enterprise data flow architecture Customer profitability (including which (EDFA) attributes are useful predictors of customer A logical data architecture profitability) A business or per department structure Achievement of key performance indicators (from the staff & business achievement unit) Risk management Layers/Components of Enterprise Data Flow Architecture (EDFA) Factors which increased interest in BI: As a distinct field of study/IT activities, it would: 1) Presentation/Desktop Access Layer a) Increasing size and complexity of modern ★ THE TOP MOST LAYER organizations Where end users directly deal with information - Fundamental business questions need BI Includes desktop tools (e.g., spreadsheets), capability direct querying tools, reporting and analysis - The result is that even fundamental suites and purpose-built applications (e.g., business questions cannot be properly balance scorecards – BSCs, digital answered without establishing serious BI dashboards) capability Power users: have the ability build own queries and reports b) Legal requirements - Users that have greater access aka admin - Legislation: enforces the need of users companies to understand the “whole of Other regular/normal users: interact with business” data in predefined ways - Financial institutions: must report on all accounts/instruments of customers and 2) Data Source Layer all related transactions against those ★ THE LOWEST LAYER accounts/instruments (including any Sources of information: operational data, suspicious transaction patterns) external data and nonoperational data c) Pursuit of competitive advantage 3) Core Data Warehouse (DW) Where the all/majority data of interest to an 8) Metadata Repository Layer organization, are captured and organized for Metadata are the data about data reporting and analysis Metadata later: should be comprehensive in Normally instituted as a large relational scope database (e.g., key information of a student) - Covering data as they flow between various DW: should hold normalized data for flexibility layers which include documenting, in dealing with complex and changing transformation, and validation rules business structures Information in the metadata layer: Normalized data – a clean data with Needs to extend beyond data structure specific and standard structure names and formats to provide detail on business purpose & context 4) Data Mart Layer Can be directly sourced by software Data marts: represents subsets information operating in the other layers from the core DW, which are selected and EXAMPLES OF METADATA: organized to meet business unit or business File name line needs (e.g., multi-purpose hall) File size ➔ may be relational databases or online Creation/modification date analytical processing (OLAP) data Attributes, i.e. hidden, read-only, system structure aka data queue Owner ➔ simplified structure compared to the Permissions normalized DW 9) Warehouse Management Layer 5) Data Staging and Quality Layer For scheduling of the tasks necessary to build Data copying, transformation into DW format & maintain the DW and data mart layers and quality control Administration of security Reliable data: get loaded to the core DW 10) Application Messaging Layer Data staging and quality layer: needs to deal Transporting information between the various with problems that are periodically thrown-up layers by operational systems such as changes to Encompasses generation, storage and account number formats and reuse of old targeted communication of control messages account and customer numbers (when DW still holds up original information of the entity) 11) Internet/intranet layer Basic data communication 6) Data Access Layer Browser-based user interfaces and Connect the data storage and quality layer Transmission Control with data stores in the data source layer Protocol/Internet Protocol (TCP/IP) networking 7) Data preparation layer Assembly and preparation of data for loading Logical Data Architecture into data marts A major undertaking that would normally be Usual practice: pre-calculate the values undertaken in stages loaded into OLAP data repositories to Reason for separating logical data model increase access speed determination by business domain: different Specialist data mining: requires preparation parts of organizations often deal with different of data transaction sets, customers and products Data (feed) mining: explores large volumes data to determine patterns and trends of Data Architecture information Needs to be structured to accommodate the Important parts of the governance process needs of the organization most efficiently involve: Factors to consider include: ➔ BI initiatives to fund a) Types of transactions in which the ➔ Priorities to initiatives organization engages ➔ Measuring ROI of initiatives b) The entities that participate in these These parts are important because of the large transactions (e.g., customers, products, investment for BI infrastructure staff & communication channels) Scope: DW must be built in stages c) The dimensions important to the business Recommended practice: establish a - Dimension Hierarchies (e.g., product & business/IT advisory team that: organization hierarchy) - Allows different functional perspectives to be represented Data Warehouses (DWs) - Recommends investment priorities Storage capacity: not an issue - Establishes cross organizational benefit Goal: obtain the most granular or atomic data measures possible Final funding decisions: should rest by a Lowest level of data (attributes used for analysis technology steering committee (comprised by a purposes that can possibly be lost) vs. senior management) summarized data Data governance is important part of overall BI governance Aspects to be considered here include: Various Analysis Models used by Data Establishing standard definitions for data, Architects/Analysts business rules and metrics a) Context diagrams Identifying approved data sources Outline the major processes of the Establishing standards for data organization and the external parties with reconciliation and balancing which the business interacts b) Activity or swim-lane diagrams Deconstruct business processes Chapter 2: IT-Related Frameworks c) Entity relationship diagrams Depict data entities and how they relate Introduction on EGIT Framework ❖ Data analysis methods: important in developing Fail or succeed? Based on how they approach enterprise data model and use technology ❖ Knowledgeable business operatives (skilled EGIT frameworks: developed to help enterprise individuals) need to be involved in the process: leaders protect the integrity of their enterprise’s 1) For proper understanding of the business information assets and deliver value to purpose and context of the data stakeholders 2) For mitigating the risk of the replication of Frameworks: help organizations address suboptimal data configurations from existing business issues through governance and systems and-databases into the DW management of information and technology, by aligning high-level strategic objectives with operational objectives and direct work outcomes DATA GOVERNANCE Key to maximizing value: consider EGIT synergistically in the overall enterprise Effective data governance process: needed, to governance hierarchy. maximize the value of an organization obtained from BI initiatives EXAMPLES OF EGIT FRAMEWORK 5. ISO/IEC 38500:2015: Information technology— Governance of IT for the organization 1. Control Objectives for Information and Related Provides guiding principles for governing Technology (COBIT) bodies of organizations on the effective, Developed by ISACA to support EGIT as it; efficient and acceptable use of IT within an Provides a framework to ensure that: organization a) IT is aligned with the business b) IT enables the business and maximizes 6. ISO 3100:2018: Risk Management-Guidelines benefits Provides guidelines on and a common c) IT resources are used responsibly approach to risk management for d) IT risk is managed appropriately organizations Provides tools to assess and measure the performance of IT processes within an 7. ISO/IEC 20000 organization Specification for service management aligned with ITIL’s service management framework 2. International Organization for Standardization Two parts: (ISO)/ International Electrotechnical Commission a) ISO/IEC 20000-1:2018 - specific (IEC) 27000 Series requirements for service management It is a set of best practices that provides improvement guidance for implementing and maintaining b) ISO/IEC 20000-2:2012 - guidance and information security programs examples for the application of ISO/IEC ISO/IEC 27001: well-known standard in the 20000-1:2018 industry; provides requirements for Information Security Management System Chapter 3: IT Standards, Policies, and 3. Information Technology Infrastructure Library Procedures (ITIL®) Developed by the UK Office of Government Various definitions Commerce (OGC), in partnership with the IT Definitions to be used: according with major Service Management Forum standard bodies Detailed framework with hands-on information Policies: tools for governance; standards: tools on how to achieve successful operational for management service management of IT Procedures and guidelines: cover or influence Includes business value delivery the operations 4. The Open Information Security Management STANDARDS Maturity Model (O-ISM3) Standard: a mandatory requirement, code of Process-based ISM (Information Security practice or specification approved by a Management) maturity model or framework for recognized external standards organization security Professional standards: standards issued by Assists Information Security Heads to assess professional organizations, such as ISACA, their operating environment and to devise a PICPA and IMA, with related guidelines and plan on their security management activities, techniques that assist the professional in so they are aligned and with cost effective to implementing & complying with other standards the organization’s business objectives Strong Standards - Necessary in current fast-moving environments - Help ensure effectiveness and reliability of Role of IT Auditors in Policies products and services IT Auditors: - Necessary to the trust and effectiveness for ➔ should understand policies are part of audit growth scope - Updated as needed, to ensure/address the ➔ should test policies for compliance latest thinking & technology IS controls should flow from the enterprise’s policies POLICIES IS auditors should use policies as benchmark or Policies: high-level statements of management reference point for evaluating intent, expectations and direction performance/compliance Well-developed, High-level Policies in a Polices that hinder achievement of mature organization: can remain fairly static for objectives: must be identified and reported for extended periods improvement Example of policy statement (on access control): Other considerations by the IS Auditor: “Information resources shall be controlled in a Application of policies to third parties or manner that effectively prevents unauthorized outsourcers access.” Compliance of third parties or outsourcers Policies: considered as the “constitution” of to policies governance; aligned with strategic objectives Conflict of third parties’ or outsourcers’ Corporate policies: set the tone for the policies with the enterprise’s policies organization as a whole Lower-level policies: INFORMATION SECURITY POLICY ➔ For individual divisions and departments Information security policy: rules and/or ➔ Consistent with the corporate level statements developed by an organization to policies protect its Information and related Technology ➔ Apply to the employees and operations of the individual divisions and departments; Security policy for IT: focus at the operational level - helps guide behaviors - first step in building the security infrastructure Review of Policies for technology-driven organizations Management: review all policies periodically Policies: set what tools and procedures are Reviewed documents: have a review date needed for the organization - IS Auditors should ensure that the review Information security policies: balance the level dates should be as current as possible of control and productivity/efficiency Policies: updated to reflect new technology, Cost of control: never exceed the benefit changes in environment (regulatory compliance Organizational culture: plays an important role requirements), and significant changes in business processes in exploiting IT for efficiency Information security policy: and effectiveness in productivity or competitive ➔ Must be approved by senior management gain ➔ Documented and communicated to all Policies formulated: support achievement of employees, service providers and business business objectives and implementation of IS partners controls Information security policy: reference Broad at the higher-level and detailed framework by IS auditors in doing audit policies of the lower-level: should be aligned assignments with business objectives Adequacy and appropriateness of the security policy: also, an area of review for IS auditors Information security policy: state Information security policy: be communicated management’s commitment and set out the throughout the organization; form or method organization’s approach to managing information accessible and understandable to the intended security Information security policy: ISO/IEC 27001 (on Information Security ➔ Might be part of a general policy document Management System) and 27002 (on ➔ May be distributed to third parties and Information Security Controls): may be outsourcers; but not disclose sensitive considered a benchmark for information security organizational information policy document Employees or Third Parties Elements of a Policy Document Have access to information assets 1) Definition of information security Required to sign off to comply with the - Its overall objectives and scope and the information security policy; time hired or importance of security as an enabling contracted; on a regular basis thereafter mechanism for information sharing (e.g., annually) to account for policy changes over time 2) Statement of management intent - Reporting the goals and principles of Organizations may document information security information security in line with the business policies as a set of policies strategy/objectives Policy Concerns that are Addressed (or 3) Framework for setting control objectives and Parts/Groups of a Policy Document): controls, a) High-level information security policy – - Including the structure of risk assessment statements of confidentiality, integrity and and management availability 4) Brief explanation of the information security b) Data classification policy – describes policies, principles, standards and compliance classifications, levels of control requirements including: responsibilities of all potential users ➔ Compliance with legislative, regulatory - Confidential or restrictive information, and contractual requirements integrity impact, availability impact (high ➔ Information security education, training or low) and awareness requirements c) Acceptable use policy – comprehensive; ➔ Business continuity management includes information for all information ➔ Consequences of information security resources (hardware, software, networks, policy violations internet, etc.); describes the permissions for 5) Definition of general and specific the usage of IT resources responsibilities for information security d) End-user computing policy – describes management parameters and usage of tools by users - Including reporting information security incidents e) Access control policies – describe method for defining and granting access to users for 6) References to documentation that may various IT resources support the policy - More detailed security policies, standards, and procedures for specific information REVIEW OF INFORMATION SECURITY systems or security rules which users could POLICY comply Information security policy should be reviewed: (For its continuing suitability & adequacy, and effectiveness) At planned intervals (usually annually) or OUTPUT from management review should When significant changes to the enterprise, include any decisions or actions related to: operations or security-related risk occurs a) Improvement in the alignment of information Information security policy should have an owner security with business objectives who has approved management responsibility for b) Improvement of the organization’s approach the development, review and evaluation of the to managing information security and its policy processes The review should include assessing: c) Improvement of control objectives and control ➔ opportunities for improvement to d) Improvement in the allocation of resources organization IT security policy and/or responsibilities ➔ approach to managing information security Maintain management reviews in response to the changes to the Obtain management approval for the revised organizational environment, business policies circumstances, and legal Review performed by management to address provisions/requirements, or technical changes in environmental factors environment Maintenance of the information security While reviewing the policies, the IS Auditor policy: consider results of reviews needs to assess the following: There should be defined management review 1) Basis on which the policy has been defined procedures (including a schedule or period of - Generally based on a risk-management review) process 2) Appropriateness of policies INPUT to the management review should 3) Contents of policies include: 4) Exceptions to the policies 1) Feedback from interested parties - Clearly taking note on which areas the 2) Results of independent reviews policies do not apply and why (Password 3) Status of preventive, detective and corrective policies may not apply with Legacy actions applications/system) 4) Results of previous management reviews 5) Policy approval process 5) Process performance and information security 6) Policy implementation process policy compliance 7) Effectiveness of implementation of policies 6) Changes that could affect the organization’s 8) Awareness and training approach to managing information security, 9) Periodic review and update process including changes to the: A. Organizational Environment, PROCEDURES B. Business Circumstances, Documented, defined steps for achieving policy C. Resource Availability objectives D. Contractual, Regulatory, or Legal Derived from the parent policy Conditions Implement the spirit/intent of the policy E. Technical Environment statement 7) Use of outsourcers or offshore of IT or Written in a clear and concise manner, so they business functions may be easily and properly understood by those 8) Trends related to threats and vulnerabilities governed by them 9) Reported information security incidents Document business and aligned IT processes 10) Recommendations provided by relevant and the embedded controls authorities Formulated by process owners as an effective Additional Notes: translation of policies Procedures: more dynamic than their respective What is Business Intelligence (BI)? parent policies - About delivering relevant & reliable information ➔ must reflect the regular changes and align IT to the right people at the right time, with the focus and environment goal of achieving better decisions faster Frequent reviews and updates: essential, if they - Requires methods & programs to collect & are to be relevant structure data, convert it into information, and present it to improve business decisions IS Auditor’s Role - It provides a vast amount of data generated by IS auditors: review procedures to business and present in a meaningful & identify/evaluate and test controls over IT actionable way processes - Accurate, understandable, and actionable Evaluation of controls: ensures fulfillment information on demand of control objectives while making process - Offers a significant advantage when trying to efficient and practicable make strategic decisions Documented procedures do not match Anytime access to organized data with operational practices or do not exist: ➔ Easy discovery of inefficient business difficult to identify controls and ensure their processes & hidden patterns operations ➔ Identify areas of strength & weakness ➔ Discover new opportunities People Governed by Procedures It is actually a large & complex field which People governed by procedures: should includes: know well the procedures - Performance management Procedure not thoroughly known by the - Analytics personnel who are to use it: ineffective - Predictive modeling Attention/focus: deployment methods and - Data & test mining, etc. automation of mechanism of IT procedures ON A RETAIL POINT-OF-VIEW: Having the power to run analytical reports on massive amounts of GUIDELINES customer information which can enable you to Used for executing procedures understand: Responsibility of operations How loyal they are to your brand Should contain information helpful to executing What products they buy & how frequently procedures If they have a preference for visiting the store or Can include: buying from the online store a) Clarification of policies and standards - It also gives you the ability to understand an b) Dependencies individual customer or segment’s needs, c) Suggestions and Examples preferences, and habits d) Narrative clarifying the procedures - Anticipate new opportunities to sell e) Background information that may be useful - Deliver better service f) Tools that can be used - Provide targeted marketing campaigns - Better understanding of customers based on Can be useful in other circumstances; but their historical transactions & behavior; considered here in the context of information utilizing the information to increase sales or security governance differentiate your brand by providing better/unique services With the emergence of BI, companies no longer: Data Mining – defining/discovering the Dig through complex webs of linked patterns from the data that are stored in the spreadsheets data warehouse Analyzing data manually and mashing together - Helps analyze data from many different reports dimensions; categorize & summarize the relationships Data Warehouse Architecture - A process of finding correlation of patterns I. Data Warehouse: is a collection of data from among the fields in a large relational various data sources of an organization (e.g., database sales, inventory, marketing, and the systems - GOAL: to extract the information from a data data, and other data from third-party sources) set and transform it into an understandable structure for use II. Data is then extracted into the DW Staging Area - The generated information can be used to using the ETL tools; having one staging area cut costs, increase productivity in some makes it easier for the ETL tools, subsequent regions data processing, and data transformation - ETL = Extract Transforming Load COBIT and ITIL III. Transferring all the data to a DATA WAREHOUSE COBIT 5 and ITIL are complementary Metadata – the data about data & one of the frameworks; you cannot choose one over the most important aspects of the data warehouse other - It helps data warehouse analyze, Common concerns/Shared interests of COBIT & identify, and find out what data is in the ITIL warehouse & where it is actually stored - both frameworks describe a number of (for the effective & efficient use of data) processes that should be established by a Summary data – form a part of data for query well-run enterprise purposes - In some cases, a COBIT process maps Usually loaded from ETL tools in batches directly onto an ITIL process Not real-time data in the warehouse COBIT – describes what should be done Raw data ITIL – describes how to do it IV. PRESENTATION LAYER – using an interface to ITIL gather information from data warehouse & present I.T. is the prime focus it in a way to make further decision It recognizes the primacy of the business OLAP (online analytical processing) – an It emphasizes that IT exists to support the approach to answering the multi-dimensional business but the bulks of its advice relate to analytical queries from multiple process matters internal to IT perspectives COBIT It consists of 3 analytical operations: Has the whole enterprise as its concern 1. Consolidation/Roll-up (enterprise perspective) 2. Drill-down It also advices on IT related issues but it also 3. Slicing & dicing recognizes that those issues are not limited to IT Reporting – using the generate from the professionals warehouse to understand how the business It is a whole enterprise framework has been doing, how it will do in the future, and what we can do to improve the business IMPORTANT CHARACTERISTICS OF COBIT & ITIL ★ COBIT and ITIL are both frameworks - They both provide guidance that an - Complete 5 Assessments are based on enterprise can draw on to devise solutions capability rather than maturity that are appropriate to its unique situation - On objective scoring mechanism - Neither provides an implementation blueprint, a recipe book IT GOVERNANCE – ISO 38500:2008 Provide guiding principles for directors of ★ Both are based on real-world experiences companies on the effective, efficient, and - Confidence that they will be able to provide acceptable use of Information Technology (IT) practical advice, that they will work within their organization - Based on experiences drawn from a wide range of enterprises The purpose of this International Standard is to ★ Both can be used by any type or size of promote effective, efficient, and acceptable use enterprise of IT in all organizations by - Commercial, Non-profit, and Government Manage the IT investments properly organizations both large & small, and Improve the performance of the organization enterprises operating in many different Improve project governance countries Improve the competitive position of the organization ★ Over the last 10 or more years, ITIL has been Minimize IT risks adopted by a large of organizations that were Assure greater project success rates seeking to improve their IT services - It’s probably to say that it has had much 5 Facts on ISO 31000: Risk Management greater market penetration than COBIT 1) Promotes a safer workplace & enhanced - Many (in fact most) organizations will start compliance with ITIL 2) Universal set of guidelines on risk management ★ COBIT can drive even more improvement 3) It has 3 main sections: Principles, Framework, - It provides a means/supports auditing and and Process evaluation of IT activities in a rigorous 4) Sections make up the ISO 31000 guideline objectives and repeatable way 5) Use the guideline to form a risk management - There is no equivalent existence/sanctioned program means of evaluating ITIL service management practices ISO 20000: The International Standard for Service - A number of independent service Management management consultancies have developed ➔ ISO/IEC 20000 is the international ITSM (IT assessment services, but they are service management) standard. It enables IT proprietary & not necessarily built upon departments to ensure that their ITSM processes objective foundations are aligned with the business’s needs and ★ COBIT is designed to be auditable international best practices. - Processes, practices, inputs and outputs are The ISO 20000 standard helps organizations all given unique identifiers benchmark how they deliver managed services, - Interfaces between processes are defined measure service levels and assess their explicitly performance. It is broadly aligned with and draws ★ COBIT comes with an assessment framework strongly on ITIL®. than includes: - A training and certification scheme for ITIL and ISO 20000 assessors to ensure rigor and objectivity ★ ISO 20000 and ITIL have a close relationship. ➔ ITIL provides advice on ITSM best practices, including options adopted and adapted by organizations according to business needs, local circumstances, and the service provider’s maturity. ➔ ISO 20000, meanwhile, sets the standards that service management processes should aim for. Organizations can achieve independently audited certification to the Standard to demonstrate that they are following best practices. SHORT ASSESSMENT: 1. The following are factors which increased interest in Business Intelligence (BI)I: a) Increasing size and complexity of earlier organizations b) Legal requirements c) Pursuit of competitive disadvantage d) None of the above 2. Referred to as the data about data: a) Data b) Security data c) Metadata d) Entity data 3. These are developed to help enterprise leaders protect the integrity of their enterprise’s information assets and deliver value to stakeholders. a) Accounting frameworks b) BI frameworks c) Marketing frameworks d) EGIT frameworks 4. Provides guidelines on and a common approach to risk management for organizations. a) ISO 3100:201 b) ISO/IEC 38500:2015 c) ISO/IEC 20000-1:2018 d) ISO/IEC 20000-2:2012 5. High-level statements of management intent, expectations and direction, and are considered as the “constitution” of governance. a) Policies b) Regulations c) Standards d) Rules 6. INPUT to the management review should include: a) Process performance and information security policy compliance b) Status of preventive, detective and corrective actions c) Recommendations provided by relevant authorities d) All of the above 7. Which statement regarding information security policies is most correct? a) Reference framework by IS auditors in doing managerial assignments b) Documented and communicated exclusively to the senior management and high-rankings officials c) Mandatory requirement, code of practice or specification approved by a recognized external standards organization d) Rules and/or statements developed by an organization to protect its Information and related Technology 8. These are documented, defined steps for achieving policy objectives that are formulated by process owners as an effective translation of policies a) Regulations b) Policies c) Procedures d) Rules 9. An IS Auditor’s role which ensures fulfillment of control objectives while making process efficient and practicable a) Evaluation of business objectives b) Evaluation of controls c) Evaluation of policies d) Evaluation of frameworks 10. Which of the following should be included in a set of guidelines? a) Dependencies b) Clarification of policies and regulations c) Background information that may be irrelevant d) Narrative clarifying the frameworks 11. A broad field of IT that involves the collection and analysis of information to assist in decision-making and assessment of organizational performance. a) Business Intelligence b) Artificial Intelligence c) Process Integration d) Strategic Planning 12. Connects the data storage and quality layer with data stores in the data source layer a) Data preparation layer b) Data mart layer c) Data access layer d) Data staging and quality layer 13. A diagram which outlines the major processes of the organization and the external parties with which the business interacts a) Activity diagrams b) Swim-lane diagrams c) Context diagrams d) Entity relationship diagrams 14. As part of the recommended practices in data governance, an organization should establish a business/IT advisory team that: a) Allows exclusive functional perspectives to be represented b) Recommends investment priorities c) Establishes limited organizational benefit measures d) None of the above 15. Who developed the Control Objectives for Information and Related Technology (COBIT) to support EGIT? a) PICPA b) ISACA c) OGC d) ISO 16. Which of the following statements about strong standards is most correct? a) Necessary in current slower-paced environments b) Help ensure effectiveness and reliability of services and frameworks c) Necessary to the trust and effectiveness for growth d) Update quarterly, to ensure/address the latest thinking & technology 17. Which of the following statements regarding the Senior Management is correct? a) They are most accountable and responsible b) Responsible for its discharge through the executive management and the organization and resources under his/her charge c) Should come from varied operations and staff functions to ensure fair representation d) Accountable to the BOD for information security governance 18. If the IT Auditor finds policies that hinder the achievement of objectives, they should: a) Identify and report these policies for improvement b) Identify and re-write these policies accordingly c) Take note of these policies and leave them be d) None of the above 19. Information security policies should be reviewed: a) For its continuing suitability & adequacy, and effectiveness b) Reviewed only as needed c) When insignificant changes to the enterprise, operations or security-related risk occurs d) To include opportunities for improvement to standard frameworks 20. The top most layer of the Enterprise Data Flow Architecture (EDFA) and is where end-users directly deal with information a) Data Source Layer b) Metadata Repository Layer c) Application Messaging Layer d) Presentation/Desktop Access Layer ANSWER KEY: 1. B 6. D 11. A 16. C 2. C 7. D 12. C 17. C 3. D 8. C 13. C 18. A 4. A 9. B 14. B 19. A 5. A 10. A 15. B 20. D References: ISACA. (2019). CISA review manual (27th ed.). Benchmark ESG. (n.d.). 5 Facts on ISO 31000: Risk Management [Video]. YouTube. https://www.youtube.com/watch?v=YsLvyfd0b6s ECC International. (2019, October 7). ISO 38500: IT governance in the Philippines. https://eccinternational.com/consulting/information-technology-excellence/it-governance-iso-385002008/#secti on01 Hitachi Solutions Canada. (n.d.). What is Business Intelligence (BI)? [Video]. YouTube. https://www.youtube.com/watch?v=hDJdkcdG1iA IT Governance. (n.d.). ISO 20000 | International IT service management standard | IT governance UK. IT Governance - Governance, Risk Management and Compliance for Information Technology. https://www.itgovernance.co.uk/iso20000 Itiltraining. (n.d.). COBIT and ITIL [Video]. YouTube. https://www.youtube.com/watch?v=crvMqsdGE1g&t=2s Open information security management maturity model (O-ISM3). (2011, February). ComputerWeekly.com. https://www.computerweekly.com/ehandbook/Open-Information-Security-Management-Maturity-Model-O-ISM3 Takkar, V. (n.d.). 2 - Data warehouse Architecture Overview [Video]. YouTube. https://www.youtube.com/watch?v=8lHpioyvSng

Use Quizgecko on...
Browser
Browser