FEEDBACK ON THE SELF-TEST ON AIS 5131

CHAPTER 1 IT GOVERNANCE AND IT STRATEGY – PART B

1. Information security governance

a) ensures information security risk is appropriately used and enterprise information
resources are managed responsibly.
b) does not ensure achievement of objectives.
c) provides operational and tactical direction for security activities.
d) is the process of establishing and maintaining a framework and supporting
management structure and processes.

ANS: D

RATIONALE: A is incorrect because it’s the other way around. Information security
governance ensures information security risk is appropriately managed and enterprise
information resources are used responsibly. B is incorrect because information security
governance ensures achievement of objectives. C is incorrect because information
security governance provides strategic direction, not operational and tactical direction.

2. An element of an information security governance framework includes

a) a comprehensive security strategy independent with business objectives.
b) governing security policies that address each aspect of strategy, controls and
regulation.
c) an effective security organizational structure with conflicts of interest.
d) institutionalized monitoring processes to ensure compliance but do not provide
feedback on effectiveness.

ANS: B

RATIONALE: A is incorrect since the need is for a comprehensive security strategy

intrinsically linked with business objectives. C is incorrect since effective security
organizational structure should be void or without conflicts of interest. D is incorrect
since institutionalized monitoring processes are needed to ensure compliance and
provide feedback on effectiveness.

3. The term CIA, one of the specific drivers of Information Security Governance, refers
to
a) completeness, increased productivity, accuracy
b) confidentiality, integrity, availability
c) corporate integrity agreement
d) certified internal auditor

ANS: B

4. The members of senior management who approve security policies should come from
varied operations and staff functions within the enterprise to ensure the fair
representation of the enterprise as a whole and to encourage any potential leaning
toward a specific business priority or technology overhead or security concerns.
a) True
b) False
ANS: B

RATIONALE: The statement is incorrect. The first part of the statement is correct since
the members of the senior management to approve security policies should come from
different functional units and be well represented to ensure fairness for the whole
enterprise. The incorrect statement is on the second part since the move to include
members in the committee or group to approve the security polices from various
departments will help reduce and not encourage the leaning towards a specific priority
or concern.

5. Because IT has become pervasive or widespread, in enterprises and in social, public,

and business environments, enterprises now strive to:
a) Generate business value from IT-enabled investments (i.e., achieve strategic goals
and realize business benefits through effective and innovative use of IT)
b) Maintain IT-related risk at the highest level
c) Increase the cost of IT services and technology
d) Circumvent relevant laws, regulations, contractual agreements and policies

ANS: A

RATIONALE: B is incorrect because the goal is to maintain IT-related risk at the

acceptable level. C is incorrect since the goal is to optimize cost of IT services and
technology. D is incorrect since the goal is to comply with relevant laws, regulations,
contractual agreements and policies

6. To achieve an effective information security governance, the reach of protection efforts

should encompass only the process that generates the information, and not the
continued preservation of information generated as a result of the controlled processes.
a) True
b) False

ANS: B

RATIONALE: The statement is incorrect. The reach of protection efforts should

encompass not only the process that generates the information, but also the continued
preservation of information generated as a result of the controlled processes. Protection
should cover both the process, and the information or output generated from the
process.

7. Which of the following statements about Information Systems Strategy is most

correct?
a) Before, governing boards and senior management executives could minimize their
involvement in the direction and development of IS strategy, leaving most decisions to
functional management
b) Now, this approach is still acceptable or possible even with increased or total
dependency on IS for day-to-day operations and successful growth
c) Both a and b.
d) None of the above.
ANS: A

RATIONALE: B is incorrect since now, the approach is no longer acceptable or possible

with increased or total dependency on IS for day-to-day operations and successful
growth

8. In developing strategic plans (which is generally five to ten years) enterprises should
ensure that the plans are fully aligned and consistent with the overall organizational
goals and objectives.
a) True
b) False

ANS: B

RATIONALE: The statement is incorrect. Strategic plans generally range from three to
five years.

9. Which of the following statements about Strategic Planning is most correct?

a) IT Department Management, IT Steering Committee and the Strategy Committee are
involved in the development and implementation of plans.
b) Effective IS strategic planning involves a consideration of the enterprise’s
requirements for new and revised information systems the IT organization’s capacity to
deliver new functionality through well-governed projects
c) The existing system’s portfolio should also be reviewed in terms of functional fit, cost
and risk, in accessing IT capabilities.
d) All of the above

ANS: D

10. In Strategic Planning, IS auditors

a) can allot minimal attention to the importance of IS strategic planning, taking
management control practices into consideration
b) should focus on the need to assess how operational, tactical or business development
plans from the business are considered in IT strategy formulation, contents of strategic
plans, requirements for updating and communicating plans, and monitoring and
evaluation requirements
c) may not consider how the CIO or senior IT management is involved in the creation of
the overall business strategy because a lack of involvement of IT in the creation of the
business strategy does not pose a risk that the IT strategy and plans will not be aligned
with the business strategy
d) All of the above

ANS: B

RATIONALE: A is incorrect since IS auditors should pay full attention to the importance
of IS strategic planning, taking management control practices into consideration. C is
incorrect since IS auditors should consider how the CIO or senior IT management is
involved in the creation of the overall business strategy because a lack of involvement
of IT in the creation of the business strategy indicates that there is a risk that the IT
strategy and plans will not be aligned with the business strategy.