d. External auditors
169. a. Functional users (business users) own the data in computer systems. Therefore, they have an undivided interest and responsibility in establishing a data ownership program.
Internal/external auditors are incorrect because they have no responsibility in establishing a data ownership program even though they recommend one. Data processors are incorrect because they are custodians of the users’ data.
170. When can the effectiveness of an information systems security policy be compromised?
a. When a policy is published
b. When a policy is reexamined
c. When a policy is tested
d. When policy enforcement is predictable
170. d. Information systems security policies should be made public, but the actual enforcement procedures should be kept private. This is to prevent policies from being compromised when enforcement is predictable. The surprise element makes unpredictable enforcements more effective than predictable ones. Policies should be published so that all affected parties are informed. Policies should be routinely reexamined for their workability. Policies should be tested to ensure the accuracy of assumptions.
171. There are many different ways to identify individuals or groups who need specialized or advanced training. Which of the following methods is least important to consider when planning for such training?
a. Job categories
b. Job functions
c. Specific systems
d. Specific vendors
171. d. One method is to look at job categories, such as executives, functional managers, or technology providers. Another method is to look at job functions, such as system design, system operation, or system user. A third method is to look at the specific technology and products used, especially for advanced training for user groups and training for a new system. Specific vendors are least important during planning but important in implementation.
172. Which of the following information systems security objective is most important in an IT security program?
a. The objective must be specific.
b. The objective must be clear.
c. The objective must be achievable.
d. The objective must be well defined.
172. c. The first step in the management process is to define information systems security objectives for the specific system. A security objective needs to be more specific; it should be concrete and well defined. It also should be stated so that it is clear and achievable. An example of an information systems security objective is one in which only individuals in the accounting and personnel departments are authorized to provide or modify information used in payroll processing. What good is a security objective if it is not achievable although it is specific, clear, and well defined?
173. In which of the following planning techniques are the information needs of the organization defined?
a. Strategic planning
b. Tactical planning
c. Operational planning
d. Information systems planning
173. d. Four types of planning help organizations identify and manage IT resources: strategic, tactical, operational, and information systems planning. IS planning is a special planning structure designed to focus organizational computing resource plans on its business needs. IS planning provides a three-phased structured approach for an organization to systematically define, develop, and implement all aspects of its near- and long-term information needs.
Strategic planning defines the organization’s mission, goals, and objectives. It also identifies the major computing resource activities the organization will undertake to accomplish these plans.
Tactical planning identifies schedules, manages, and controls the tasks necessary to accomplish individual computing resource activities, using a shorter planning horizon than strategic planning. It involves planning projects, acquisitions, and staffing.
Operational planning integrates tactical plans and support activities and defines the short-term tasks that must be accomplished to achieve the desired results.
174. Which of the following is a somewhat stable document?
a. Information technology strategic plan
b. Information technology operational plan
c. Information technology security plan
d. Information technology training plan
