Domain 2 

 IT Governance and Management

Quick Review

Policies, processes, procedures, and standards

Policies, processes, procedures, and standards are all important elements of organizational governance, risk management, and compliance. They are related but distinct concepts that are used to guide the behavior and activities of an organization's personnel.

Policies: Policies are high-level statements that define an organization's objectives, goals, and rules of conduct. They are typically set by senior management or the board of directors and provide direction on how the organization should operate. Policies are designed to guide decision-making and set expectations for behavior and performance. Examples of policies include a code of conduct, an acceptable use policy for computer systems, or a privacy policy.

Processes: Processes are a set of activities or steps that are taken to accomplish a specific objective. They are designed to be repeatable and consistent and are used to achieve a particular outcome. Processes can be documented or informal and are often part of a larger system or framework. Examples of processes include incident management, change management, or risk management.

Procedures: Procedures are specific instructions or steps that must be followed to carry out a process or achieve an objective. They provide detailed guidance on how to perform a task and are often used to ensure consistency and quality. Procedures can be formal or informal, and they may be documented in a variety of formats, such as checklists, flowcharts, or standard operating procedures (SOPs).

Standards: Standards are established criteria or guidelines that are used to ensure consistency and quality. They are often set by industry associations, regulatory bodies, or government agencies and provide a baseline for best practices and compliance. Standards may be technical, operational, or performance-based and are used to measure and assess an organization's practices and outcomes. Examples of standards include ISO 27001 for information security management, HIPAA for healthcare privacy, or PCI-DSS for payment card industry security.

In summary, policies provide high-level direction, processes are used to accomplish specific objectives, procedures provide detailed guidance on how to perform a task, and standards establish criteria for best practices and compliance. All of these elements are essential for effective governance, risk management, and compliance in an organization.

Enterprise Architecture (EA)

Enterprise Architecture (EA) is the practice of analyzing, designing, planning, and implementing the structure of an organization's current and future state. It provides a comprehensive view of how an organization's business processes, information, technology, and people interrelate and how they can be aligned to achieve the organization's strategic goals.

EA provides a framework for businesses to ensure that their technology investments and IT strategies are aligned with their overall business objectives. It also provides a roadmap for an organization's IT infrastructure, defining the relationships between business processes, systems, data, and people. This helps to improve decision-making and minimize risks associated with technology implementation and upgrades.

An enterprise architecture typically consists of several architectural domains, including business architecture, application architecture, data architecture, and technology architecture. The business architecture defines the organization's overall business strategy, goals, and processes. The application architecture focuses on defining the organization's applications and how they interconnect with each other. The data architecture defines how data is stored, accessed, and used within the organization, while the technology architecture outlines the organization's IT infrastructure and how it supports the other architectural domains.

Overall, enterprise architecture provides a framework for businesses to align their IT strategy with their overall business objectives, improve efficiency and reduce risks.

The Zachman Framework

The Zachman Framework is an enterprise architecture framework that provides a holistic view of an organization's structure and processes. It was developed by John Zachman in the 1980s and is widely used by businesses and IT professionals today.

The Zachman Framework is based on a grid with six columns and six rows. Each column represents a different perspective or stakeholder group within an organization, while each row represents a different level of abstraction or detail. The six columns are:

The six rows of the Zachman Framework represent different levels of detail or abstraction within each perspective or stakeholder group. These levels range from high-level strategy and goals to detailed technical specifications and implementation details.

The Zachman Framework is a useful tool for organizations looking to develop a comprehensive understanding of their structure and processes. By providing a structured approach to enterprise architecture, the Zachman Framework can help organizations align their IT strategy with their overall business objectives, improve communication between different stakeholders, and make more informed decisions about technology investments and upgrades.

Data Flow Diagrams

Data Flow Diagrams (DFDs) are graphical representations of how data flows through a system. They are used to model the functional aspects of a system and help in understanding how data moves between different processes and entities in a system.

DFDs consist of four main components:

DFDs can be used to analyze the existing system or design a new system. They help in identifying the inputs and outputs of each process and the relationships between them. This information can be used to improve system efficiency, identify potential problems, and streamline processes.

Data Storage Diagrams

Data Storage Diagrams (DSDs) are graphical representations of the physical storage structure of data in a system. They depict how data is stored in files, tables, or other data storage media, and how these structures are related to each other.

DSDs typically consist of three main components:

DSDs help in understanding the physical storage structure of data within a system and the relationships between different data storage structures. They can be used to optimize system performance, improve data access times, and ensure data integrity.

Zero Trust 

Zero Trust is a security model that assumes no user, device, or network traffic is trusted by default, regardless of whether it is located inside or outside the network perimeter. The Zero Trust model focuses on verifying every access request to a network resource, system, or application, and requires that access requests are explicitly authorized, authenticated, and validated.

The Zero Trust concept is based on the following principles:

The Zero Trust model is gaining popularity due to the rise of remote work, cloud computing, and mobile devices, which have made traditional network perimeters less effective in securing corporate resources. By implementing the Zero Trust model, organizations can reduce their security risks and protect against cyber attacks, data breaches, and other security threats.

Applicable Laws, Regulations, and Standards

This includes an understanding of the relevant laws, regulations, and standards that apply to an organization's IT environment, as well as the importance of compliance with these requirements.

Some examples of laws, regulations, and standards that may be relevant to an organization's IT environment include:

As a CISA, it is important to have a broad understanding of the various laws, regulations, and standards that may be applicable to different organizations and industries. This knowledge can inform the development of IT policies and procedures, as well as help ensure that the organization is in compliance with relevant requirements.


1.   IT governance is most concerned with

A.   Security policy

B.   IT policy

C.   IT strategy

D.   IT executive compensation

2.   One of the advantages of outsourcing is

A.   It permits the organization to focus on core competencies.

B.   It results in reduced costs.

C.   It provides greater control over work performed by the outsourcing agency.

D.   It eliminates segregation of duties issues.

3.   An external IS auditor has discovered a segregation of duties issue in a high-value process. What is the best action for the auditor to take?

A.   Implement a preventive control.

B.   Implement a detective control.

C.   Implement a compensating control.

D.   Document the matter in the audit report.

4.   An organization has chosen to open a business office in another country where labor costs are lower and has hired workers to perform business functions there. This organization has

A.   Outsourced the function

B.   Outsourced the function offshore

C.   Insourced the function on-site

D.   Insourced the function at a remote location

5.What is the purpose of a criticality analysis?

A.   Determine feasible recovery targets.

B.   Determine which staff members are the most critical.

C.   Determine which business processes are the most critical.

D.   Determine maximum tolerable downtime.

6.   An organization needs to better understand whether one of its key business processes is effective. What action should the organization consider?

A.   Audit the process.

B.   Benchmark the process.

C.   Outsource the process.

D.   Offshore the process.

7.   Annualized loss expectancy (ALE) is defined as

A.   Single loss expectancy (SLE) × annualized rate of occurrence (ARO)

B.   Exposure factor (EF) × the annualized rate of occurrence (ARO)

C.   Single loss expectancy (SLE) × the exposure factor (EF)

D.   Asset value (AV) × the single loss expectancy (SLE)

8.   A quantitative risk analysis is more difficult to perform because

A.   It is difficult to get accurate figures on the impact of a realized threat.

B.   It is difficult to get accurate figures on the probability of specific threats.

C.   It is difficult to get accurate figures on the value of assets.

D.   It is difficult to calculate the annualized loss expectancy of a specific threat.

9.   A collection of servers that is designed to operate as a single logical server is known as what?

A.   Cluster

B.   Grid

C.   Cloud

D.   Replicant

10.   What is the purpose of a balanced scorecard?

A.   Measures the efficiency of an IT organization

B.   Evaluates the performance of individual employees

C.   Benchmarks a process in the organization against peer organizations

D.   Measures organizational performance and effectiveness against strategic goals

11.   An organization has discovered that some of its employees have criminal records. What is the best course of action for the organization to take?

A.   Terminate the employees with criminal records.

B.   Immediately perform background checks, including criminal history, on all existing employees.

C.   Immediately perform background checks, including criminal history, on all new employees.

D.   Immediately perform background checks on those employees with criminal records.

12.   The options for risk treatment are

A.   Risk mitigation, risk reduction, and risk acceptance

B.   Risk mitigation, risk reduction, risk transfer, and risk acceptance

C.   Risk mitigation, risk avoidance, risk transfer, and risk acceptance

D.   Risk mitigation, risk avoidance, risk transfer, and risk conveyance

13.   An IS auditor is examining the IT standards document for an organization that was last reviewed two years earlier. What is the best course of action for the IS auditor?

A.   Locate the IT policy document and see how frequently IT standards should be reviewed.

B.   Compare the standards with current practices and make a determination of adequacy.

C.   Report that IT standards are not being reviewed often enough.

D.   Report that IT standards are adequate.

14.   The most important step in the process of outsourcing a business function is

A.   Developing a business case

B.   Measuring the cost savings

C.   Measuring the change in risk

D.   Performing due diligence on the external service provider

15.   An organization has published a new security policy. What is the best course of action for the organization to undertake to ensure that all employees will support the policy?

A.   The company CEO should send an e-mail to all employees, instructing them to support the policy.

B.   The company should provide training on the new security policy.

C.   The company should publish the policy on an internal web site.

D.   The company should require all employees to sign a statement agreeing to support the policy.