168. a. Training makes people learn new things and be aware of new issues and procedures. They have similar objectives—that is, to learn a new skill or knowledge. Hence, they complement each other.

A hacker is a person who attempts to compromise the security of an IT system, especially whose intention is to cause disruption or obtain unauthorized access to data. On the other hand, a user has the opposite objective, to use the system to fulfill his job duties. Hence, they conflict with each other.

Compliance means following the standards, rules, or regulations with no deviations allowed. On the other hand, common sense tells people to deviate when conditions are not practical. Hence, they conflict with each other.

Need-to-know means a need for access to information to do a job. Threats are actions or events that, if realized, can result in waste, fraud, abuse, or disruption of operations. Hence, they conflict with each other.

169. Establishing a data ownership program should be the responsibility of:

a. Functional users

b. Internal auditors

c. Data processors

d. External auditors

169. a. Functional users (business users) own the data in computer systems. Therefore, they have an undivided interest and responsibility in establishing a data ownership program.

Internal/external auditors are incorrect because they have no responsibility in establishing a data ownership program even though they recommend one. Data processors are incorrect because they are custodians of the users’ data.

170. When can the effectiveness of an information systems security policy be compromised?

a. When a policy is published

b. When a policy is reexamined

c. When a policy is tested

d. When policy enforcement is predictable

170. d. Information systems security policies should be made public, but the actual enforcement procedures should be kept private. This is to prevent policies from being compromised when enforcement is predictable. The surprise element makes unpredictable enforcements more effective than predictable ones. Policies should be published so that all affected parties are informed. Policies should be routinely reexamined for their workability. Policies should be tested to ensure the accuracy of assumptions.

171. There are many different ways to identify individuals or groups who need specialized or advanced training. Which of the following methods is least important to consider when planning for such training?

a. Job categories

b. Job functions

c. Specific systems

d. Specific vendors

171. d. One method is to look at job categories, such as executives, functional managers, or technology providers. Another method is to look at job functions, such as system design, system operation, or system user. A third method is to look at the specific technology and products used, especially for advanced training for user groups and training for a new system. Specific vendors are least important during planning but important in implementation.

172. Which of the following information systems security objective is most important in an IT security program?

a. The objective must be specific.

b. The objective must be clear.

c. The objective must be achievable.

d. The objective must be well defined.

172. c. The first step in the management process is to define information systems security objectives for the specific system. A security objective needs to be more specific; it should be concrete and well defined. It also should be stated so that it is clear and achievable. An example of an information systems security objective is one in which only individuals in the accounting and personnel departments are authorized to provide or modify information used in payroll processing. What good is a security objective if it is not achievable although it is specific, clear, and well defined?

173. In which of the following planning techniques are the information needs of the organization defined?

a. Strategic planning

b. Tactical planning

c. Operational planning

d. Information systems planning

173. d. Four types of planning help organizations identify and manage IT resources: strategic, tactical, operational, and information systems planning. IS planning is a special planning structure designed to focus organizational computing resource plans on its business needs. IS planning provides a three-phased structured approach for an organization to systematically define, develop, and implement all aspects of its near- and long-term information needs.

Strategic planning defines the organization’s mission, goals, and objectives. It also identifies the major computing resource activities the organization will undertake to accomplish these plans.

Tactical planning identifies schedules, manages, and controls the tasks necessary to accomplish individual computing resource activities, using a shorter planning horizon than strategic planning. It involves planning projects, acquisitions, and staffing.

Operational planning integrates tactical plans and support activities and defines the short-term tasks that must be accomplished to achieve the desired results.

174. Which of the following is a somewhat stable document?

a. Information technology strategic plan

b. Information technology operational plan

c. Information technology security plan

d. Information technology training plan

174. a. The IT strategic plan sets the broad direction and goals for managing information within the organization and supporting the delivery of services to customers. It should be derived from and relate to the organization’s strategic plan. The plan typically contains an IT mission statement, a vision describing the target IT environment of the future, an assessment of the current environment, and broad strategies for moving into the future. The IT strategic plan is a somewhat stable document. It does not require annual updates. However, an organization should periodically review and update the IT strategic plan as necessary to reflect significant changes in the IT mission or direction. The strategies presented in the IT strategic plan provide the basis for the IT operational plan, which includes security and training plans.

The IT operational plan describes how the organization will implement the strategic plan. The operational plan identifies logical steps for achieving the IT strategic vision. It may present an implementation schedule, identify key milestones, define project initiatives, and include resources (e.g., funding and personnel) estimates. The operational plan should identify dependencies among the IT strategies and present a logical sequence of project initiatives to assure smooth implementation.

The IT security plans and training plans are incorrect because they are components of the IT operational plan. Security plans should be developed for an organization or an individual system. These plans document the controls and safeguards for maintaining information integrity and preventing malicious/accidental use, destruction, or modification of information resources within the organization. Training plans document the types of training the IT staff will require to effectively perform their duties. The IT operational plans, security plans, and training plans are in a constant state of flux.