- (Topic 4)
Which of the following is the MOST significant impact to an organization that does not use an IT governance framework?
Correct Answer:
B
The most significant impact to an organization that does not use an IT governance framework is inadequate alignment of IT plans and business objectives. IT governance is a framework for the governance and management of enterprise information and technology (I&T) that supports enterprise goal achievement1. IT governance helps to ensure that IT investments and activities are aligned with the business strategy, vision, and values of the organization. IT governance also helps to optimize the value of IT, manage IT-related risks, and measure and monitor IT performance1.
Without an IT governance framework, an organization may face challenges such as:
✑ Lack of clarity and direction for IT decision making
✑ Inconsistent or conflicting IT priorities and demands
✑ Inefficient or ineffective use of IT resources and capabilities
✑ Poor quality or delivery of IT services and products
✑ Increased exposure to IT-related threats and vulnerabilities
✑ Reduced customer satisfaction and trust in IT
✑ Missed opportunities for innovation and competitive advantage
Therefore, an organization that does not use an IT governance framework may fail to achieve its business objectives and may lose its competitive edge in the market. References:
✑ COBIT 2019 Framework Introduction and Methodology, Section 1.1: What Is
Governance of Enterprise I&T?
✑ IT Governance: Definitions, Frameworks and Planning, Section 1: What Is IT Governance?
- (Topic 4)
Which of the following provides the MOST useful information regarding an organization's risk appetite and tolerance?
Correct Answer:
C
The most useful information regarding an organization’s risk appetite and tolerance is provided by its risk profile, as this is a document that summarizes the key risks that the organization faces, the potential impacts and likelihoods of those risks, and the acceptable levels of risk exposure for different objectives and activities. A gap analysis is a tool that compares the current state and the desired state of a process or a system, and identifies the gaps that need to be addressed. Audit reports are documents that present the findings, conclusions, and recommendations of an audit engagement. A risk register is a tool that records and tracks the identified risks, their causes, their consequences, and their mitigation actions. References: CISA Review Manual (Digital Version), Chapter 2: Governance and Management of IT, Section 2.1: IT Governance
- (Topic 4)
Which of the following BEST enables an organization to improve the effectiveness of its incident response team?
Correct Answer:
A
Conducting periodic testing and incorporating lessons learned is the best way to improve the effectiveness of an incident response team. This allows the team to practice their response procedures, identify any gaps or weaknesses in their response, and learn from their mistakes. It also helps to keep the team’s skills sharp and up-to-date. The lessons learned from these tests can then be used to improve the team’s procedures and performance12. While understanding information systems technology, disseminating incident response procedures, and publishing KPI metrics can contribute to the effectiveness of the team, they do not provide the same level of continuous improvement as periodic testing and learning from experience.
- (Topic 4)
An IS auditor learns a server administration team regularly applies workarounds to address repeated failures of critical data processing services Which of the following would BEST enable the organization to resolve this issue?
Correct Answer:
A
Problem management is the best way to enable the organization to resolve the issue of repeated failures of critical data processing services, as it focuses on identifying and eliminating the root causes of incidents and preventing their recurrence. Problem management involves analyzing incidents, performing root cause analysis, finding solutions, implementing changes and documenting lessons learned. Incident management is not the best way to resolve the issue, as it focuses on restoring normal service operation as quickly as possible after an incident occurs, but does not address the underlying causes or prevent future incidents. Service level management is not the best way to resolve the issue, as it focuses on defining, monitoring and reporting on the service levels agreed upon between service providers and customers, but does not address the causes or solutions of
incidents. Change management is not the best way to resolve the issue, as it focuses on ensuring that changes are implemented in a controlled and coordinated manner, but does not address the identification or elimination of incidents. References:
✑ : [Problem Management Definition]
✑ : [Incident Management Definition]
✑ : [Service Level Management Definition]
✑ : [Change Management Definition]
✑ : IT Service Management | ISACA
- (Topic 3)
Which of the following is a corrective control?
Correct Answer:
D
A corrective control is a control that aims to restore normal operations after a disruption or incident has occurred. Executing emergency response plans is an example of a corrective control, as it helps to mitigate the impact of an incident and resume business functions. Separating equipment development testing and production is a preventive control, as it helps to avoid errors or unauthorized changes in production systems. Verifying duplicate calculations in data processing is a detective control, as it helps to identify errors or anomalies in data processing. Reviewing user access rights for segregation is also a detective control, as it helps to detect any violations of segregation of duties principles. References: ISACA, CISA Review Manual, 27th Edition, 2018, page 64