Information Technology for Managers 2nd Edition By George Reynolds – Test Bank

Complete Test Bank With Answers

 

 

Sample Questions Posted Below

 

Chapter 5: CORPORATE AND IT GOVERNANCE

 

MULTIPLE CHOICE:

 

1. Interest in corporate governance has grown due to _____ scandals.

a. accounting

b. espionage

c. journalistic

d. plagiarism

 

ANS: A

RATIONALE: Interest in corporate governance has grown due to accounting scandals resulting in bankruptcies, multimillion-dollar fines, and/or jail sentences for senior executives at companies such as Arthur Andersen, Computer Associates, Enron, Global Crossing, Hewlett Packard, J.P. Morgan, Tesco, Tyco, and Worldcom. In addition, board members who are responsible for paying executives have been challenged as a result of several scandals.

 

2. Information technology (IT) _____ is a framework that ensures that information technology decisions are made while taking into account the goals and objectives of the business.

a. wiki

b. acquisition

c. protocol

d. governance

 

ANS: D

RATIONALE: Information technology governance is a framework that ensures that information technology decisions are made while taking into account the goals and objectives of the business. Governance includes defining the decision-making process itself, as well as defining who makes the decisions; who is held accountable for results; and how the results of decisions are communicated, measured, and monitored.

 

3. An organization’s _____ and board of directors are responsible for governance.

a. executives

b. customers

c. retailers

d. clients

 

ANS: A

RATIONALE: An organization’s executives and board of directors are responsible for governance. They carry out this duty through committees that oversee critical areas such as audits, compensation, and acquisitions.

4. According to enlightened organizations, information technology (IT) governance is the responsibility of:

a. project management.

b. IT management.

c. human resource management.

d. executive management.

 

ANS: D

RATIONALE: An organization’s executives and board of directors are responsible for governance. They carry out this duty through committees that oversee critical areas such as audits, compensation, and acquisitions. Enlightened organizations recognize that information technology (IT) governance is not the responsibility of IT management but of executive management, including the board of directors.

5. Which of the following is considered a primary goal of effective information technology (IT) governance?

a. Mitigating IT-related risks

b. Identifying appropriate IT opportunities

c. Ensuring smooth induction of IT in an organization

d. Complying with section 504 of the Sarbanes-Oxley Act

 

ANS: A

RATIONALE: The two primary goals of effective information technology (IT) governance are ensuring that an organization achieves good value from its investments in IT and mitigating IT-related risks. Achieving good value from IT investments requires a close alignment between business objectives and IT initiatives. Mitigating IT-related risks means embedding accountability and internal controls in the organization.

 

6. Identify the portfolio management in which a manager weighs the rate of return and balances it against the risks associated with each investment.

a. Human resource portfolio management

b. Sourcing portfolio management

c. Finance portfolio management

d. Marketing portfolio management

 

ANS: C

RATIONALE: Information technology governance is similar to financial portfolio management, in which a manager weighs the rate of return and balances it against the risks associated with each investment. The manager then makes choices to achieve a good rate of return at an acceptable level of risk.

 

7. Which of the following is true of mitigating information technology (IT)-related risks?

a. It delivers an organization’s strategic goals

b. It aligns the business goals and objectives with IT project goals and objectives

c. It achieves results with a high degree of predictability

d. It embeds accountability and internal controls in an organization 

 

ANS: D

RATIONALE: Mitigating information technology (IT)-related risks means embedding accountability and internal controls in the organization. Value and risk are the two main goals of IT governance.

 

8. Which of the following is an example of an organization’s strategic goal?

a. Increased costs

b. Increased market share

c. Increased time to market

d. Decreased revenues

 

ANS: B

RATIONALE: Only information technology projects that are consistent with the business strategy and that support business goals and objectives should be considered for staffing and funding. Such projects will deliver the organization’s strategic goals, whether they are increased revenues, decreased costs, improved customer service, increased market share, or decreased time to market.

 

9. Which of the following is essential to allow information technology projects to be aligned with business goals?

a. The projects must deliver expected business results on time and within budget.

b. The projects must embed accountability and internal controls in an organization.

c. The projects must be delayed to achieve the required quality.

d. The projects must go beyond the budget to maintain the quality.

 

ANS: A

RATIONALE: For information technology projects to be aligned with business goals and properly staffed, funded, and executed, the projects must deliver expected business results on time and within budget. This process involves applying good project management principles to ensure that work is done efficiently and that results can be achieved with a high degree of predictability.

 

10. Which of the following is an intent of the Bank Secrecy Act?

a. To create international standards that strengthen global capital and liquidity rules with the goal of promoting a more resilient banking sector

b. To strengthen computer and network security within the U.S. federal government and affiliated parties by mandating yearly audits

c. To detect and prevent money laundering by requiring financial institutions to report certain transactions to government agencies.

d. To protect against identity theft by imposing disclosure requirements for businesses and government agencies that experience security breaches that might put the personal information of California residents at risk

 

ANS: C

RATIONALE: The intention of the Bank Secrecy Act is to detect and prevent money laundering by requiring financial institutions to report certain transactions to government agencies. It also withholds from clients that such reports were filed about them.

 

11. Which of the following act creates international standards that strengthen global capital and liquidity rules?

a. Foreign corrupt practices Act

b. Gramm-Leach-Bliley Act

c. California Senate Bill 1386

d. Basel II Accord

 

ANS: D

RATIONALE: Basel II Accord creates international standards that strengthen global capital and liquidity rules with the goal of promoting a more resilient banking sector. Its goal is to promote a more resilient banking sector.

12. Which of the following protects against identity theft of California residents?

a. California Secrecy Act

b. California Senate Bill 1386

c. California Union Data Protection Directive

d. California Information Security Management Act

 

ANS: B

RATIONALE: California Senate Bill 1386 act protects against identity theft by imposing disclosure requirements for businesses and government agencies that experience security breaches that might put the personal information of California residents at risk. This is the first of many state laws aimed at protecting consumers from identity theft.

 

13. Identify the purpose of the Foreign Corrupt Practices Act.

a. To govern the collection, use, and disclosure of personally identifiable information in the course of commercial transactions

b. To protect cardholder data and ensure that merchants and service providers maintain strict information security standards

c. To prevent certain classes of persons and entities from making payments to foreign government officials

d. To create international standards that strengthen global capital and liquidity rules with the goal of promoting a more resilient banking sector

 

ANS: C

RATIONALE: The intent of the Foreign Corrupt Practices Act is to prevent certain classes of persons and entities from making payments to foreign government officials. This is done in an attempt to obtain or retain business.

 

14. Which act identifies the U.S. taxpayers who hold financial assets in non-U.S. financial institutions and offshore accounts?

a. Foreign Account Tax Compliance Act

b. Foreign Corrupt Practices Act

c. U.S. Senate Bill Act

d. Basel II Tax Accord

 

ANS: A

RATIONALE: Foreign Account Tax Compliance Act identifies U.S. taxpayers who hold financial assets in non-U.S. financial institutions and offshore accounts. This is done so that the taxpayers cannot avoid their U.S. tax obligations.

 

15. Which act strengthens computer and network security within the U.S. federal government?

a. Federal Union Data Protection Act

b. Federal Information Security Management Act

c. Federal Corrupt Practices Act

d. Federal-Bliley Act

 

ANS: B

RATIONALE: Federal Information Security Management Act strengthens computer and network security within the U.S. federal government and affiliated parties (such as government contractors). This is done by mandating yearly audits.

16. Which of the following is true of European Union Data Protection Directive?

a. It strengthens computer and network security within the European federal government and affiliated parties (such as government contractors) by mandating yearly audits.

b. It protects the privacy of European Union citizens’ personal information by placing limitations on sending such data outside of the European Union to areas that are deemed to have less than adequate standards for data security.

c. It identifies European taxpayers who hold financial assets in non-European financial institutions and offshore accounts so that they cannot avoid their tax obligations.

d. It protects against identity theft by imposing disclosure requirements for businesses and government agencies that experience security breaches that might put the personal information of European residents at risk.

ANS: B

RATIONALE: The European Union Data Protection Directive protects the privacy of European Union citizens’ personal information. It protects by placing limitations on sending such data outside of the European Union to areas that are deemed to have less than adequate standards for data security.

 

17. Which of the following is true of the Personal Information Protection and Electronic Documents Act (Canada)?

a. It governs the collection, use, and disclosure of personally identifiable information in the course of commercial transactions.

b. It protects against identity theft by imposing disclosure requirements for businesses and government agencies that experience security breaches.

c. It protects cardholder data and ensures that merchant and service providers maintains strict information security standards.

d. It strengthens computer and network security by mandating yearly audits.

 

ANS: A

RATIONALE: The Personal Information Protection and Electronic Documents Act (Canada) governs the collection, use, and disclosure of personally identifiable information in the course of commercial transactions. It is created in response to European Union data protection directives

 

18. Identify the objective of the Gramm-Leach-Bliley Act.

a. To identify the U.S. taxpayers who hold financial assets in non-U.S. financial institutions and ensure that they agree to the U.S. tax obligations

b. To protect cardholder data and ensure that merchant and service providers maintain strict information security standards

c. To protect the privacy and security of individually identifiable financial information collected and processed by financial institutions

d. To prevent certain classes of persons and entities from making payments to foreign government officials in an attempt to obtain or retain business

 

ANS: C

RATIONALE: The intent of the Gramm-Leach-Bliley Act is to protect the privacy and security of individually identifiable financial information collected and processed by financial institutions.

 

19. Which of the following is a process established by an organization’s board of directors to provide reasonable assurance for the effectiveness and efficiency of operations?

a. Service transition

b. Internal control

c. Knowledge management

d. Proactive analysis

 

ANS: B

RATIONALE: Internal control is the process established by an organization’s board of directors, managers, and information technology systems to provide reasonable assurance for the effectiveness and efficiency of operations, the reliability of financial reporting, and compliance with applicable laws and regulations. A fundamental concept of good internal controls is the careful separation of duties associated with a key process so that the duties must be performed by more than one person.

 

20. _____ is essential for any process that involves the handling of financial transactions so that fraud requires the collusion of two or more parties.

a. Separation of duties

b. Separation of process

c. Separation of hierarchy

d. Separation of analysis

 

ANS: A

RATIONALE: A fundamental concept of good internal controls is the careful separation of duties associated with a key process so that the duties must be performed by more than one person. Separation of duties is essential for any process that involves the handling of financial transactions so that fraud requires the collusion of two or more parties.

 

21. Which of the following is true of internal control?

a. It renews the health insurance of the taxpayers.

b. It checks bank statements of the citizens for accuracy.

c. It verifies the taxpayers of a country for their income.

d. It protects an organization’s resources.

 

ANS: D

RATIONALE: Internal control is the process established by an organization’s board of directors, managers, and information technology systems to provide reasonable assurance for the effectiveness and efficiency of operations, the reliability of financial reporting, and compliance with applicable laws and regulations. It plays a key role in preventing and detecting fraud and protecting an organization’s resources.

 

22. Which of the following is a goal of effective information technology (IT) governance?

a. Resource management

b. Risk management

c. Operations alignment

d. Strategic alignment

 

ANS: B

RATIONALE: Information technology (IT) value delivery and risk management are the goals of effective IT governance. Strategic alignment and IT resource management are the methods for achieving these goals.

 

23. Which of the following is a method used to achieve the goals of information technology (IT) governance?

a. Strategic alignment 

b. IT value delivery

c. Risk management

d. Operations management

 

ANS: A

RATIONALE: Information technology (IT) value delivery and risk management are the goals of effective IT governance. Strategic alignment and IT resource management are the methods for achieving these goals.

 

24. Identify the process that helps successful managers achieve high value from their investments in information technology (IT).

a. IT governance

b. IT collaboration

c. Corporate collaboration

d. Collaborative governance

 

ANS: A

RATIONALE: Successful managers seek opportunities to deliver the potential benefits promised by IT. Thus, successful managers need a process that can help them achieve high value from their investments in information technology (IT), manage associated risks, and deliver IT-related solutions that comply with increasing regulatory compliance demands. IT governance is just such a process.

 

25. Which of the following factors influences information technology (IT) related initiatives?

a. A company’s internal control system

b. A company’s balance sheet

c. Career growth of employees

d. The values of IT stakeholders

 

ANS: D

RATIONALE: Information technology (IT) related initiatives are seldom simple and straightforward. They are influenced by many factors: the vision, mission, and values of the organization; community and organizational ethics and values; a myriad of laws, regulations, and policies; industry guidelines and practices; changing business needs; and the values of the IT stakeholders and company owners.

 

26. Which of the following is true of the Committee of Sponsoring Organizations (COSO) 2013 framework?

a. It provides best practice recommendations on information security management for use by those responsible for initiating, implementing, or maintaining information security management systems.

b. It provides guidance on enterprise risk management, internal control, and fraud deterrence.

c. It provides a proven and practical framework for planning and delivering information technology-related services.

d. It provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations.

 

ANS: B

RATIONALE: The Committee of Sponsoring Organizations (COSO) 2013 framework provides guidance on enterprise risk management, internal control, and fraud deterrence. It is designed to improve organizational performance and governance and reduce the extent of fraud in organizations.

27. _____ is a set of guidelines whose goal is to align information technology resources and processes with business objectives, quality standards, monetary controls, and security needs.

a. International Standards Organization (ISO) 27002

b. Control Objectives for Information and Related Technology (COBIT)

c. Committee of Sponsoring Organizations (COSO) 2013

d. Information Infrastructure Library (ITIL)

ANS: B
RATIONALE: Control Objectives for Information and Related Technology (COBIT) is a set of guidelines whose goal is to align information technology resources and processes with business objectives, quality standards, monetary controls, and security needs. It provides a framework for information technology management and governance consisting of process descriptions, control objectives, management guidelines, and models to assess maturity and capability for each process. 

 

28. Which of the following provides a framework for information technology (IT) management and governance consisting of process descriptions, management guidelines, and models to assess maturity and capability for each process?

a. Committee of Sponsoring Organizations (COSO) 2013

b. Information Infrastructure Library (ITIL)

c. Control Objectives for Information and Related Technology (COBIT)

d. International Standards Organization (ISO) 27002

 

ANS: C

RATIONALE: Control Objectives for Information and Related Technology (COBIT) provides a framework for information technology management and governance consisting of process descriptions, control objectives, management guidelines, and models to assess maturity and capability for each process. It is a set of guidelines whose goal is to align information technology resources and processes with business objectives, quality standards, monetary controls, and security needs.

 

29. Which of the following is an overview of the international standards organization (ISO) framework?

a. It provides guidance on enterprise risk management, internal control, and fraud deterrence.

b. It provides best practice recommendations on information security management for use by those responsible for initiating, implementing, or maintaining information security management systems. 

c. It provides a proven and practical framework for planning and delivering information technology services.

d. It provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations.

 

ANS: B

RATIONALE: International standards organization (ISO) framework provides best practice recommendations on information security management. It is developed for use by those responsible for initiating, implementing, or maintaining information security management systems.

 

30. Which of the following frameworks provides information technology (IT) services based on a synthesis of the best ideas from international practitioners?

a. IT Infrastructure Library (ITIL)

b. Committee of Sponsoring Organizations (COSO) 2013

c. Control Objectives for Information and Related Technology (COBIT)

d. International Standards Organization (ISO) 27002

 

ANS: A

RATIONALE: Information Technology Infrastructure Library (ITIL) provides a proven and practical framework for planning and delivering IT services based on a synthesis of the best ideas from international practitioners. It also provides best practices and criteria for effective IT services such as help desk, network security, and IT operations.

 

31. _____ advocates that information technology services be aligned with the objectives of the business and support the core business processes.

a. The Human Resources Act

b. The finance directory

c. The Control Objectives for Information and Related Technology (COBIT)

d. The Information Technology Infrastructure Library (ITIL)

 

ANS: D

RATIONALE: Information Technology Infrastructure Library (ITIL) provides best practices and criteria for effective IT services such as help desk, network security, and IT operations. ITIL advocates that IT services be aligned with the objectives of the business and support the core business processes.

 

32. _____ is a useful tool to improve the quality and measurability of information technology (IT) governance or to implement a system for improved regulatory compliance.

a. Control Objectives for Information and Related Technology (COBIT)

b. Information Technology Infrastructure Library (ITIL)

c. Committee of Sponsoring Organizations (COSO)

d. International Standards Organization (ISO)

 

ANS: A

RATIONALE: Control Objectives for Information and Related Technology (COBIT) provides guidelines for 37 processes that span a wide range of information technology (IT)-related activities. COBIT is a useful tool to improve the quality and measurability of IT governance or to implement a control system for improved regulatory compliance.

 

33. Which phase of the Information Technology Infrastructure Library (ITIL) involves understanding the service offerings required to meet the needs of the IT customers?

a. Service design

b. Service operation

c. Service strategy

d. Service transition

 

ANS: C

RATIONALE: Service strategy involves understanding who the information technology (IT) customers are, the service offerings required to meet their needs. It also analyzes IT capabilities and resources required to develop and successfully execute these offerings.

 

34. Which of the following best describes the service transition phase of the Information Technology Infrastructure Library (ITIL)?

a. It involves understanding who the IT customers are, the service offerings required to meet their needs, and the IT capabilities and resources required to develop and successfully execute these offerings.

b. It involves following the design to build, test, and move into production the services that will meet customer expectations.

c. It ensures that the new and/or changed services are designed effectively to meet customer expectations.

d. It provides a means for an IT organization to measure and improve the service levels, the technology, and the efficiency and effectiveness of processes used in the overall management of services.

 

ANS: B

RATIONALE: Service transition involves following the design to build, test, and move into production the services that will meet customer expectations. It is the phase next to the service design phase.

35. _____ ensures that the new and/or changed services are modeled effectively to meet customer expectations.

a. Service design

b. Service operation

c. Service transition

d. Service strategy

ANS: A

RATIONALE: Service design ensures that the new and/or changed services are designed effectively to meet customer expectations. The designed service is then built, tested, and moved in the service transition phase. 

36. Spivy Tech, a software firm, has decided to change one of its services to effectively meet its customer expectations. In the context of Information Technology Infrastructure Library (ITIL), identify the phase of the service life cycle that ensures that the changed services are designed effectively to meet customer expectations.

a. Service design

b. Service operation

c. Service strategy

d. Service transition

 

ANS: A

RATIONALE: Service design ensures that the new and/or changed services are designed effectively to meet customer expectations. The designed service is then built, tested, and moved in the service transition phase. 

 

37. In the context of Information Technology Infrastructure Library, _____ delivers information technology (IT) services on an ongoing basis while monitoring the overall quality of the service.

a. service design

b. service transition

c. service strategy

d. service operation 

 

ANS: D

RATIONALE: Service operation delivers information technology services on an ongoing basis while monitoring the overall quality of the service. The delivered services are the built in the service transition phase.

 

38. In the context of Information Technology Infrastructure Library, _____ provides a means for an information technology (IT) organization to measure and improve the service levels.

a. continual transition improvement

b. continual process improvement

c. service strategy

d. service operation 

 

ANS: B

RATIONALE: Continual process improvement provides a means for an information technology organization to measure and improve the service levels, the technology. It also improves the efficiency and effectiveness of processes used in the overall management of services.

 

39. In the Plan-Do-Check-Act (PDCA) model, identify the step that requires the improvement team to identify its target improvement area.

a. The Do step

b. The Check step

c. The Plan step

d. The Act step

 

ANS: C

RATIONALE: The Plan step requires the improvement team to identify its target improvement area, analyze how things work currently, and identify opportunities for improvement. This step is followed by a Do step that implements the change decided in the Plan step.

 

40. Patrick, a senior manager, has decided to promote one of his team members as an associate mentor based on her skill and hard work. Which stage in the Plan-Do-Check-Act (PDCA) model corresponds to this scenario?

a. The Do step

b. The Check step

c. The Plan step

d. The Act step

 

ANS: A

RATIONALE: In the Do step, the change decided in the Plan step is implemented, often on a pilot or limited basis to assess the potential impact of the proposed change(s). This step is followed by a Check step that measures the results of change.

 

41. Benchmarking the current process using the Control Objectives for Information and Related Technology (COBIT) framework is done in the _____ step of the Plan-Do-Check-Act model.

a. Plan

b. Do

c. Check

d. Act

ANS: A
RATIONALE: Choosing a specific information technology process to improve, setting goals for the chosen processes, benchmarking the current process using the Control Objectives for Information and Related Technology (COBIT) framework, analyzing the current process, identifying gaps between actual and ideal processes, and developing improvement ideas using best practices from COBIT are activities done in the Plan step of the Plan-Do-Check-Act model.  The Plan step requires the improvement team to identify its target improvement area, analyze how things work currently, and identify opportunities for improvement.

42. In the _____ step of the Plan-Do-Check-Act model, the results of a change are measured.

a. Do

b. Check

c. Plan

d. Act

 

ANS: B

RATIONALE: In the Check step, the results of a change are measured. This step is followed by an Act step, where an improvement team considers whether it is worth continuing the process with the recently implemented change.

 

43. Gink Corporation, a multinational company, has several branches throughout the world. They have recently installed a new security mechanism in their California branch. However, they are not happy with the profit earned by that particular branch. If the results in the upcoming months are not fruitful, they might consider shutting down its operations to avoid loss of revenue. Which stage in the Plan-Do-Check-Act (PDCA) model corresponds to this scenario?

a. The Do step

b. The Check step

c. The Plan step

d. The Act step

 

ANS: D

RATIONALE: In the Act step, the improvement team considers whether it is worth continuing a process with a recently implemented change. If the change is too complicated for people to follow or if it led to insignificant improvements, then the change may be aborted. At this point the team would go back to the Do step and start over. Thus, the completion of one cycle of improvement flows into the beginning of the next cycle.

 

44. A _____ defines the people and procedures required to ensure timely and orderly resumption of an organization’s essential, time-sensitive processes with minimal interruption.

a. business initiation plan

b. business valuation plan

c. business continuity plan

d. business improvement plan

 

ANS: C

RATIONALE: A business continuity plan defines the people and procedures required to ensure timely and orderly resumption of an organization’s essential, time-sensitive processes with minimal interruption. Having a business continuity plan in place before the business interruption occurs is critical.

45. Which of the following specifies requirements to plan, establish, implement, operate, monitor, review, maintain, and continually improve a documented management system?

a. The International Standards Organizational standard ISO 22301:2012

b. The International Standards Organizational standard ISO 22313:2012

c. The International Standards Organizational standard ISO 22320:2011

d. The International Standards Organizational standard ISO 22323:2010

 

ANS: A

RATIONALE: The International Standards Organizational standard ISO 22301:2012 (“Societal Security–Business Continuity Management Systems–Requirements”) specifies requirements to plan, establish, implement, operate, monitor, review, maintain, and continually improve a documented management system to prepare for, respond to, and recover from disruptive events when they arise. The standard is applicable to organizations in all industries, profit and nonprofit, and of all sizes.

 

46. Which of the following is the effort made by an ordinarily prudent party to avoid harm to another party?

a. Business stake

b. Due diligence

c. Outsourcing

d. Internal control

 

ANS: B

RATIONALE: Due diligence is the effort made by an ordinarily prudent or reasonable party to avoid harm to another party. Failure to make this effort may be considered negligence.

 

47. Which of the following is considered a part of due diligence?

a. The scope of the Plan-Do-Check-Act (PDCA) model

b. Metrics and best practices of information technology (IT) related processes

c. A written and tested business continuity plan

d. Information security management

 

ANS: C

RATIONALE: Being able to show a written, tested business continuity plan is considered part of due diligence. Indeed, many laws and regulations specify requirements for business continuity planning. The requirements vary by country and by industry.

 

48. The scope of a full _____ addresses the health and safety of all workers.

a. business initiation plan

b. business valuation plan

c. business improvement plan

d. business continuity plan

 

ANS: D

RATIONALE: The scope of a full business continuity plan addresses the health and safety of all workers. It minimizes financial loss, including damages to facilities, critical data, records, finished products, and raw materials; minimizes the interruption to critical business processes; and provides for effective communications to customers, business partners, and shareholders.

49. Identify the process in a disaster recovery plan that is responsible for contracts and payroll information.

a. Identify vital records and data

b. Define resources and actions to recover

c. Define emergency procedures

d. Conduct a business impact analysis

 

ANS: A

RATIONALE: Every company has key electronic records and hard copy data that are essential to manage and control the cash flow and other tangible assets of the organization. These records include customer data, contracts, current order information, accounts payable data, accounts receivable data, inventory records, and payroll information. Companies must identify vital records and data and then determine where and how they are being stored and backed up.

 

50. Which of the following is a recommended approach for data backup?

a. Allow employees to take copies of vital data home at the end of the work day.

b. Store the data in a building adjacent to the company.

c. Store all the data in an external disk and place it in the server room.

d. Use online databases to update and backup the data.

 

ANS: D

RATIONALE: The recommended and widely implemented approach for data backup is to use online databases to update the data; as online databases are updated, companies can have these changes mirrored on a backup database hundreds of miles away. This approach is expensive, but it provides rapid access to current data in the event of a disaster.

 

51. Which of the following is an inexpensive yet safe way to backup vital data?

a. Allow employees to take backup copies of vital data home at the end of the work day.

b. Copy online databases to magnetic storage devices and ship them off-site.

c. Store the backup data in a building located near the company.

d. Use online databases to update and backup the data.

 

ANS: B

RATIONALE: An inexpensive yet safe approach to backup vital data is to copy online databases every night to high-volume, inexpensive magnetic storage devices and ship them off-site to a data storage facility in another state. This low-cost solution minimizes the potential for losing more than one day of data.

 

52. The time within which a business function must be recovered before an organization suffers serious damage is known as the:

a. critical time objective.

b. business recovery time.

c. recovery time objective.

d. attrition recovery time.

 

ANS: C

RATIONALE: The time within which a business function must be recovered before an organization suffers serious damage is called the recovery time objective. Based on this data, each business function can be placed in the appropriate category.

 

53. Which of the following best describes the “AA” priority business function of a firm?

a. This business function is extremely critical to the operation of the firm and cannot be unavailable for more than a few minutes without causing severe problems.

b. This business function is critical to the operation of the firm and cannot be unavailable for more than a few hours without causing severe problems.

c. This business function, while significant, can be unavailable for up to a few days without causing severe problems.

d. This business function can be unavailable for several days in times of a major disaster without causing major problems.

 

ANS: B

RATIONALE: The “AA” business function is critical to the operation of a firm and cannot be unavailable for more than a few hours without causing severe problems. Accounts receivable and accounts payable can be examples of this business function.

 

54. Payroll is an example of a:

a. “A” priority business function.

b. “AAA” priority business function.

c. “AA” priority business function.

d. “B” priority business function.

 

ANS: A

RATIONALE: Payroll business function, while significant, can be unavailable for up to a few days without causing severe problems. Thus, it belongs to the “A” priority business function. 

 

55. Ernsyl, an e-publishing firm, consists of 500 employees. However, the HR manger feels that they need to double their employee strength in the upcoming year to meet the needs of the future projects that are in pipeline. In the context of business functions, this scenario is an example of a:

a. “A” priority business function.

b. “AAA” priority business function.

c. “AA” priority business function.

d. “B” priority business function.

 

ANS: D

RATIONALE: Employee recruiting is a business function that can be unavailable for several days in times of a major disaster without causing major problems. Thus it belongs to the “B” priority business function.

 

56. Which of the following best describes the ‘’AAA’’ priority business function of a firm?

a. This business function, while significant, can be unavailable for up to a few days without causing severe problems.

b. This business function is critical to the operation of the firm and cannot be unavailable for more than a few hours without causing severe problems.

c. This business function is extremely critical to the operation of the firm and cannot be unavailable for more than a few minutes without causing severe problems. 

d. This business function can be unavailable for several days in times of a major disaster without causing major problems.

 

ANS: C

RATIONALE: The “AAA” business function is extremely critical to the operation of a firm and cannot be unavailable for more than a few minutes without causing severe problems. Order processing is an example of this business function.

 

57. _____ is the replication and hosting of physical or virtual servers and other necessary hardware and software by a third-party service provider to deliver information technology services in the event of a disaster.

a. Disaster recovery as a service (DRaaS)

b. Disaster recovery as an event (DRaaE)

c. Disaster recovery as a platform (DRaaPL)

d. Disaster recovery as a solution (DRaaSL)

 

ANS: A

RATIONALE: Disaster recovery as a service (DRaaS) is the replication and hosting of physical or virtual servers and other necessary hardware and software by a third-party service provider to deliver information technology services in the event of a disaster. Many small-to-midsized organizations implement a DRaaS strategy to avoid the costs and effort associated with building and maintaining their own off-site disaster recovery (DR) environment.

 

58. _____ defines the steps to be taken during a disaster and immediately following it.

a. Business impact analyses

b. Emergency procedures

c. Recovery time objective

d. Due diligences

 

ANS: B

RATIONALE: Emergency procedures define the steps to be taken during a disaster and immediately following it. A little planning and practice of such procedures can minimize loss of life and injuries as well as reduce the impact on a business and its operations.

 

59. Which of the following disaster recovery teams provides direction and command during a disaster?

a. The emergency response group

b. The business continuity group

c. The control group

d. The business recovery group

 

ANS: C

RATIONALE: The control group provides direction and control during a disaster and operates from a secure emergency operations center equipped with emergency communications gear. The group gathers and analyzes data needed to make decisions and direct the work of the emergency response team and business recovery team.

 

60. Which of the following best describes the role of a control group in the disaster recovery team?

a. It helps save lives and contain the impact of the disaster.

b. It assess the extent of the damage and decide if or when it may be safe to reenter the affected work area.

c. It recommends whether the disaster recovery plan needs to be put into effect or not.

d. It gathers and analyzes the data needed to make decisions and direct the work of the emergency response team and business recovery team.

 

ANS: D

RATIONALE: The control group provides direction and control during a disaster and operates from a secure emergency operations center equipped with emergency communications gear. The group gathers and analyzes data needed to make decisions and direct the work of the emergency response team and business recovery team.

 

61. Which of the following best describes the role of an emergency response team in the disaster recovery team?

a. They help save lives and contain the impact of the disaster.

b. They assess the extent of the damage and decide if or when it may be safe to reenter the affected work area.

c. They recommend whether the disaster recovery plan needs to be put into effect or not.

d. They gather and analyze the data needed to make decisions and direct the work of the emergency response team and business recovery team.

 

ANS: A

RATIONALE: For most organizations, the emergency response team includes members of the fire department, police department, and other first responders. Some large organizations have their own emergency firefighting department. Their role is to help save lives and contain the impact of the disaster.

62. The _____ team in most organizations includes members of the fire department, police department, and other first responders.

a. emergency response

b. control

c. business recovery

d. business continuity

ANS: a

RATIONALE: The emergency response team in most organizations includes members of the fire department, police department, and other first responders. The members of this team should be carefully selected based on their areas of expertise, experience, and ability to function well under extreme pressure.

 

63. Which group in the disaster recovery team decides when employees can reenter the affected work area after a disaster?

a. The emergency response group

b. The control group

c. The business recovery group 

d. The business continuity group

 

ANS: C

RATIONALE: The business recovery group includes employees and nonemployee specialists who assess the situation once it is safe to do so. They assess the extent of the damage and decide if or when it may be safe to reenter the affected work area.

 

64. An earthquake relief team has arrived at an affected area of a company to assess the extent of damage. They recommend the immediate implementation of the disaster recovery plan as they feel that the impact of the earthquake was very high. In the context of disaster recovery teams, the earthquake relief team is an example of a(n) _____.

a. emergency response group

b. business recovery group 

c. control group

d. business continuity group

 

ANS: B

RATIONALE: The business recovery group includes employees and nonemployee specialists who assess the situation once it is safe to do so. They assess the extent of the damage and decide if or when it may be safe to reenter the affected work area. They recommend whether the disaster recovery plan needs to be put into effect, depending on the impact of the disaster or incident.

 

65. Who receives additional training in crowd control to help workers evacuate from a work area?

a. Manager

b. Supervisor

c. Administrative officer

d. Floor warden

 

ANS: D

RATIONALE: It is a good practice to identify “floor wardens” who are responsible for evacuating a given floor or work area. These floor wardens receive additional training in crowd control, first aid, CPR, operation of defibrillators, and helping handicapped workers evacuate.

 

TRUE/FALSE:

 

1. The rise in the popularity of corporate governance is due to plagiarism scandals.

 

ANS: False

RATIONALE: Interest in corporate governance has grown due to accounting scandals resulting in bankruptcies, multimillion-dollar fines, and/or jail sentences.

 

2. Only information technology projects that are consistent with the business strategy and that support business goals and objectives should be considered for staffing and funding.

 

ANS: True

RATIONALE: Only information technology projects that are consistent with the business strategy and that support business goals and objectives should be considered for staffing and funding. Such projects will deliver an organization’s strategic goals, whether they are increased revenues, decreased costs, improved customer service, increased market share, or decreased time to market.

 

3. The objective of the Foreign Account Tax Compliance Act is to prevent certain classes of persons and entities from making payments to foreign government officials.

 

ANS: False

RATIONALE: The objective of the Foreign Account Tax Compliance Act is to identify U.S. taxpayers who hold financial assets in non-U.S. financial institutions and offshore accounts so that they cannot avoid their U.S. tax obligations.

 

4. The USA PATRIOT Act protects the interests of investors and consumers by requiring that the annual reports of public companies include an evaluation of the effectiveness of internal control over financial reporting.

 

ANS: False

RATIONALE: The USA PATRIOT Act is designed to combat the financing of terrorism through money laundering and other financial crimes.

 

5. Performance measurement is the process by which an organization achieves its information technology governance goals.

 

ANS: False

RATIONALE: Performance measurement is the means by which management tracks how well its information technology governance efforts are succeeding.

 

6. Information technology-related initiatives are simple and straightforward.

 

ANS: False

RATIONALE: Information technology (IT)-related initiatives are seldom simple and straightforward. They are influenced by many factors: the vision, mission, and values of the organization; community and organizational ethics and values; a myriad of laws, regulations, and policies; industry guidelines and practices; changing business needs; and the values of the IT stakeholders and company owners.

 

7. The information technology infrastructure library (ITIL) is used to standardize, integrate, and manage information technology (IT) service delivery.

 

ANS: True

RATIONALE: The IT Infrastructure Library (ITIL) is a set of guidelines initially formulated by the U.K. government in the late 1980s and widely used today to standardize, integrate, and manage IT service delivery. ITIL provides a proven and practical framework to plan and deliver IT operational services based on a synthesis of the best ideas from international practitioners.

 

8. A business continuity plan is to be implemented after the occurrence of an interruption in a service.

 

ANS: False

RATIONALE: Having a business continuity plan in place before a business interruption occurs is critical; otherwise, an organization may not be able to respond quickly enough to prevent service interruption.

 

9. The International Standards Organizational standard ISO 22301:2012 is applicable only to nonprofit organizations.

 

ANS: False

RATIONALE: The International Standards Organizational standard ISO 22301:2012 (“Societal Security–Business Continuity Management Systems–Requirements”) specifies requirements to plan, establish, implement, operate, monitor, review, maintain, and continually improve a documented management system to prepare for, respond to, and recover from disruptive events when they arise. The standard is applicable to organizations in all industries, profit and nonprofit, and of all sizes.

 

10. The disaster recovery plan must be tested in advance to ensure that it is effective and that people can execute it.

 

ANS: True

RATIONALE: The disaster recovery plan must be tested to ensure that it is effective and that people can execute it. Many companies practice the disaster recovery plan for at least one AAA priority system once per year.

ESSAY:

 

1. Define Control Objectives for Information and Related Technology (COBIT). What are the principles proposed by COBIT that guide the governance of information technology (IT)?

 

ANS: Control Objectives for Information and Related Technology (COBIT) is a set of guidelines whose goal is to align information technology (IT) resources and processes with business objectives, quality standards, monetary controls, and security needs. These guidelines are issued by the IT Governance Institute. They provide metrics, best practices, and critical success factors for COBIT-defined IT-related processes. COBIT 5.0 proposes five principles that guide governance of IT:

a. Meeting stakeholder needs

b. Covering an enterprise end-to-end

c. Applying a single, integrated framework

d. Enabling a holistic approach

e. Separating governance from management

 

2. Explain the need for a business continuity plan.

 

ANS: A business continuity plan defines the people and procedures required to ensure timely and orderly resumption of an organization’s essential, time-sensitive processes with minimal interruption. Having a business continuity plan in place before a business interruption occurs is critical; otherwise, the organization may not be able to respond quickly enough to prevent service interruption.

 

3. Define a disaster recovery plan. What are the various process involved in developing a disaster recovery plan?

 

ANS: A disaster recovery plan is a component of the organization’s business continuity plan that defines the process to recover an organization’s business information system assets including hardware, software, data, networks, and facilities in the event of a disaster. The disaster recovery plan focuses on technology recovery and identifies the people or the teams responsible for taking action in the event of a disaster, what exactly these people will do when a disaster strikes, and the information system resources required to support critical business processes.

The process involved in developing a disaster recovery plan includes:

a. Identifying vital records and data.

b. Conducting a business impact analysis.

c. Defining resources and actions to recover.

d. Defining emergency procedures.

e. Identifying and training business continuity teams.

f. Training employees.

g. Practicing and updating plan.