Which of the following are the process control objectives for the process controls embedment? Each correct answer represents a complete solution. Choose all that apply.
Correct Answer: A,C,D
Question 117
Which of the following is the amount of risk an enterprise is willing to except in pursuit of its mission?
Correct Answer: C
Section: Volume C
Question 118
Which types of project tends to have more well-understood risks?
Correct Answer: D
Question 119
Which of the following should be done FIRST when defining responsibilities for ownership of information and systems?
Correct Answer: D
The FIRST step when defining responsibilities for ownership of information and systems is to require an inventory of information assets. An information asset is any data, device, or other component of the environment that supports information-related activities1. An inventory of information assets is a comprehensive list of all the information assets that an organization owns, controls, or uses2. By creating an inventory of information assets, an organization can: * Identify the types, locations, formats, and volumes of information assets3 * Determine the value, sensitivity, and criticality of information assets4 * Assign ownership and accountability for information assets5 * Establish appropriate security controls and protection measures for information assets6 * Monitor and audit the usage and lifecycle of information assets7 The other options are not as important as option D. While it is important to require an information risk assessment, identify systems that are outsourced, and ensure information is classified, these are subsequent steps that depend on the availability and accuracy of the inventory of information assets. Without an inventory of information assets, it would be difficult to perform a risk assessment, identify outsourced systems, or classify information according to its value and sensitivity. References := * Information Asset - an overview | ScienceDirect Topics1 * Information Asset Inventory - NIST CSRC2 * How to Create an Information Asset Inventory - Infosec Resources3 * Information Asset Valuation: A Methodology - ISACA4 * Data Ownership: Considerations for Risk Management - ISACA5 * Information Asset Protection - NIST CSRC6 * Information Asset Management - NIST CSRC7
Question 120
An enterprise's chief information officer (CIO) has been receiving complaints from business executives regarding the amount their units are being charged for IT services. To maintain a good relationship with business peers, the CIO wants to be responsive to these complaints. To address this issue, the FIRST step should be to:
Correct Answer: D
The first step to address the issue of complaints from business executives regarding the amount their units are being charged for IT services should be to quantify consumption and service level agreement (SLA) achievements per business unit. This will help the CIO to understand the actual usage and performance of IT services by each business unit, as well as to justify and communicate the chargeback rates based on the value and quality of IT services delivered. Quantifying consumption and SLA achievements can also help identify and address any inefficiencies, discrepancies, or gaps in IT service delivery or chargeback methods. Agreeing to reduce charge rates and improve relationship management with the business, looking into outsourcing of support functions to drive down the cost structure, and asking the CFO about budget revisions for the business units' IT expenditures are possible steps to take after quantifying consumption and SLA achievements, but they are not the first step. Agreeing to reduce charge rates without understanding the underlying causes of the complaints may result in underfunding or underpricing of IT services, which may affect their quality and sustainability. Improving relationship management with the business is important, but it should be based on transparent and accurate information about IT service consumption and chargeback. Looking into outsourcing of support functions may reduce the cost structure, but it may also introduce new risks and challenges for IT governance and management. Asking the CFO about budget revisions may help align IT expenditures with business priorities, but it may not address the root causes of the dissatisfaction with IT chargeback. References := IT Chargeback Drives Efficiency - Uptime Institute Blog; What is IT governance? A formal way to align IT & business strategy; Chargeback vs. IT Governance - HEIT Management.
