GEST S 483 – DIGITAL IT AND GOVERNANCE

Question Part 1:
- 1. Which one of the following definitions does not characterize an
Advanced persistent threats (APTs) ?
Anything that is capable of acting against an asset in a manner that can result in harm

- 2. Select the most adequate definition of Risk Management

Continually identify, assess and reduce risks within levels of tolerance set by entreprise
executive management

- 3. Which of the following is an EXTERNAL stakeholder who is

potentially involved in the Governance of Entreprise IT?
Assurance providers,Regulators, IT vendors

- 4. Define which term corresponds to any process, policy,device,practice, or other

conditions and/or actions which mitigate risks.

Control

- 5. Associate management objectives as described with their respective Management or

governance domain. Domains include
Achieve increased productivity and minimize disruptions through quick resolution of user
queries and incidents. Assess the impact of changes and deal with service incidents. Resolve
user requests and restore service in response to incidents = DSS02

Secure optimal value from I&T-enabled initiatives, services and assets; cost-effective delivery
of solutions and services; and a reliable and accurate picture of costs and likely benefits so
that business needs are supported effectively and efficiently = EDM02

Ensure that the enterprise is compliant with all applicable external requirements = MEA03
 Realize desired business value and reduce the risk of unexpected delays, costs and value
erosion. To do so, improve communications to and involvement of business and end users,
ensure the value and quality of program deliverables and follow-up of projects within the
programs, and maximize program contribution to the investment portfolio = BAI01

Support the digital transformation strategy of the organization and deliver the desired value
through a road map of incremental changes. Use a holistic I&T approach, ensuring that each
initiative is clearly connected to an overarching strategy. Enable change in all different
aspects of the organization, from channels and processes to data, culture, skills, operating
model and incentives = APO02

- 6. Match some of the seven Management component to their most relevant definitions:
Informations and Technology Governance Framework

Key decision making entities in an entreprise = … structures (medium length answer)

Desired behavior into practical guidance for day to day management = (long answer)

All information produced and used by the entreprise. COBIT = Information

- 7. Match protection controls to the corresponding asset

Access controls, GPDR compliant = Patient data

Firewalls = Medical devices
Destruction trail = Paper files
Badges = Physical access

- 8. Which of the following is an alignment Goals related to the “Customer” dimension of an

Information and Technology organisation ? These goals are defined in the COBIT
framework, structured along the balanced scorecard (BSC) that include the following four
dimensions:”Financial”-“Customer”-“Internal and operations”-“Learning and Growth”

Agility to turn business requirements into operational solutions

- 9. Which of the following is an alignment Goals related to the “Internal and Operations”
dimension of an Information and Technology organisation ?
Delivery of programs on time on budget and meeting requirements and quality standards

- 10. Which of the following is not a threat related to Cloud computing.

 Programming error

- 11. What is the purpose of the Goals Cascade ?

Support alignment between enterprise needs and IT solutions and services

- 12. Which of the following is an Entreprise Goals related to the “Financial” dimension of an
Information and Technology organisation ?
Portfolio of competitive products and services

- 13. Digital Entreprises Manage Work Through Products Not Projects. Indicate those
elements that are more specific to PRODUCTS (than to projects). Select all that apply to
PRODUCTS.

Stops when product is retired, delivers regular releases until then; but resourcing and
releases may diminish late in life cycle

Delivering valuable capabilities: What's the most valuable thing to do next?

- 14. What are the three main activities related to the governance of Information
Technology Risks ? Select the three answers that apply.
---Risk Governance : Establish and Maintain a Common Risk View – Integrate with Enterprise
Risk Management – Make Risk-aware Business Decisions
---Risk Response: Articulate Risk – Manage Risk – React to Events
---Risk Evaluation: Collect Data – Analyse Risk – Maintain Risk Profile

- 15. Which of the following is an INTERNAL stakeholder involved in the Governance of

Entreprise IT? Select ALL answers that apply.

Board of Directors, Business Managers, IT Managers, Executive Managments

- 16. What is the most logical sequence that organisations take when implementing the GRC
concept.
Compliance, Risk and finally Governance

- 17. The waterfall model is a classical model used in systeme development life cycle to
create a system with a linear and sequential approach. Which one is an advantage of a
waterfall approach (all others are drawbacks/disadvantages).
Upfront planning and in-depth documentation

- 18. Associate the definitions with the security related terms.

 --To keep data safe from unauthorized access, modification and theft during processing,
storage and transmission = Information Security
--The protection of the hardware, software, communication and facilities used to input,
store, process, transmit and output data in whatever form = IT Security
--Physical measures designed to safeguard personnel; to prevent unauthorized access to
equipment, installations, material, and documents; and to safeguard against espionage,
sabotage, damage, and theft = Physical Security
--The protection of information assets by addressing threats to information processed,
stored and transported by internetworked information systems = Cyber Security

- 19. Where would a customer’s initial service targets be recorded before the service level
agreement (SLA) is produced? Choose one right answer.
In a list of service level requirements (SLR)

- 20. Which is the CORRECT explanation of how a service facilitates an outcome ? Choose
one right answer

By enhancing the performance of associated tasks and reducing the effect of constraints

- 21. A vulnerability is “an exploitable weakness that results in a loss.” Associate the
vulnerabilities to their categories.
Errors in management: decision-making:planning or ignorance = Organizational
Coding errors: inadequate passwords:Open network ports = Technical
Failure to monitor logs: Failure to patch software = Process
Errors in design; Implementation; Placement or configuration = Technical

- 22. What risk response is related to the fact of “Contracting an insurance”. Select only one
answer.

Risk Transfer

- 23. Risks should be prioritized based on which three of the following elements?
Threat occurrences
Vulnerability level
Strategy and Security needs of the organisation

- 24. Which are the five major domains of activity as defined by the NIST Cybersecurity
framework ?

Identify
- 25. Which of the following stakeholders are to be involved in addressing information and
technology management objectives and related activities and who should be held
accountable for achieving expected outcome, implementing performance and indicators
and improving maturity components.

All entreprise personnel including business and IT management.

- 26. Indicate which symptom is related to an organisation that does not have a high
maturity in the Process component ?

Software development life cycle method is not adopted by the organisation. Each project
improvises a specific development methodology, but many are labelled as agile methods

- 27. Associate Management objectives with their most relevant description

Account for all IT assets and optimize the value provided by their use = Managed assets
Optimize available IT capabilities to support the IT strategy and road map = Managed
Vendors
Question Part 2:

- 1. Trinichain decided to move most of its data storage to the cloud. They signed an
agreement with a leading Cloud services provider to host all personal data and financial
records of the bank clients. While evaluating the feasibility of that move, which of the
following management objectives should be considered during the build phase to ensure the
integration of new with existing technologies in a coherent and maintainable manner ?

AP03 Manage Architecture

- 2. While evaluating the use of cloud services in relation to the adequate protection of clients
personal data, which of the following management objectives should be considered ?

MEA03 Managed compliance with external requirements

- 3. To ensure continued client satisfaction during the move to the cloud, the senior
management of Trinichain requested to implement performance indicators tracking the
impact on clients. Which of the following indicators is not relevant ?

Business cost of incidents and its impact on Trinichain financial results

- 4. When the new systems were integrated and cloud storage was completely connected to
core applications, the banking authority wished to ensure that only approved and tested
systems were operating the new applications. Which management objective will be required

BAI07 Managed IT Change Acceptance and Transitioning.

- 5. Then bank decided to initiate a major investment program in a new banking application
that allows to access clients banking activites through their social media and IOT devices.
They decided to go in a step by step phases to ensure all decisions are adequately made and
authorized by senior management. They adopted a systems development life cycle method
for the initiation of this program.

BAI02.02 Perform a feasibility study and formulate alternative solutions

- 6. When the program scope and objectives are adequately defined, the CIO initiated and
activity to evaluate the effort and the cost of the investment. Prior to that, it is essential that
one of the following actions are performed:

BAI03.01 Design high-level solutions

- 7. At this stage of the program management required a reporting on potential risks to the
investment. One of the risks that were identified as “Aggressive deadlines”: Sometimes
software development have tight deadlines. In some cases, software development teams
may be unable to meet these deadlines. You can mitigate this risk by creating a torough
project plan that allows you to set realistic deadlines. What performance indicator could help
characterize this risk?

Percent of milestone of task completion vs plan

- 8. Establish a project baseline that is appropriately reviewed approved and incorporated into
the integrated project plan.

- 9. Before initiating a major development, Trinichain management identified two components

that were weak and require improvement. Competencies is a first component. Some
Alignment goals are in consequence potentially impacted by that weakness. What metric
could be used to evaluate that weakness.
Number or percentage of business people with technology management experience

- 10. Trinichain management identified most feared risks to their organisation.

Which management domain should be addressed in priority to reduce the impact of
following risks: IT operational infrastructure incidents: Software failures: Logical attacks: Acts
of nature and Environmental incidents. Select the domain that should gain high maturity to
reach the required mitigation target.
Deliver, Service and Support

- 11. Trinichain management identified recurrent pain points within their organisation.
Which management domain should be addressed in priority to reduce the impact of
those pain points:
-Insufficient IT resources,staff with inadequate skills or staff burnout
-Excessively high costs of IT
-Service delivery problems by the IT outsource
Frustration between business departements and the IT department because of failed
initiatives or a perception of low contribution to business value
Select the domain that should gain high maturity to reach the required mitigation target:

Align, Plan and Organize domain

- 12. The management of Trinichain implemented a series of activites to ensure adequate
support to its information and technology activites and investments. Those included the
following actions:
-Ensure that communication and reporting mechnaisms provide those responsible for
oversight and decision making with appropriate information
-Determine the optimal decision making model for IT
-Evaluate the percent of IT enabled investments for which claimed benefits in the
business case are met or exceeded
-Adopt a necessary culture to identify and communicate the decision making culture
organizational ethics and individual behaviours that embody entreprise values
Which of the management objectives is involved in such activites:
Ensured Governance Framework Setting and Maintenance (EDM01)