CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
CISM—Certified Information Security Manager - Part 138
1. The 'separation of duties' principle is violated if which of the following individuals has update rights to the database access control list (ACL)?
A) Data owner
B) Data custodian
C) Systems programmer
D) Security administrator
2. An account with full administrative privileges over a production file is found to be accessible by a member of the software development team. This account was set up to allow the developer to download nonsensitive production data for software testing purposes. The information security manager should recommend which of the following?
A) Restrict account access to read only
B) Log all usage of this account
C) Suspend the account and activate only when needed
D) Require that a change request be submitted for each download
3. Which would be the BEST recommendation to protect against phishing attacks?
A) Install an antispam system
B) Publish security guidance for customers
C) Provide security awareness to the organization's staff
D) Install an application-level firewall
4. Which of the following is the BEST indicator that an effective security control is built into an organization?
A) The monthly service level statistics indicate a minimal impact from security issues.
B) The cost of implementing a security control is less than the value of the assets.
C) The percentage of systems that is compliant with security standards.
D) The audit reports do not reflect any significant findings on security.
5. What is the BEST way to alleviate security team understaffing while retaining the capability in-house?
A) Hire a contractor that would not be included in the permanent headcount
B) Outsource with a security services provider while retaining the control internally
C) Establish a virtual security team from competent employees across the company
D) Provide cross training to minimize the existing resources gap
A) Data owner
B) Data custodian
C) Systems programmer
D) Security administrator
2. An account with full administrative privileges over a production file is found to be accessible by a member of the software development team. This account was set up to allow the developer to download nonsensitive production data for software testing purposes. The information security manager should recommend which of the following?
A) Restrict account access to read only
B) Log all usage of this account
C) Suspend the account and activate only when needed
D) Require that a change request be submitted for each download
3. Which would be the BEST recommendation to protect against phishing attacks?
A) Install an antispam system
B) Publish security guidance for customers
C) Provide security awareness to the organization's staff
D) Install an application-level firewall
4. Which of the following is the BEST indicator that an effective security control is built into an organization?
A) The monthly service level statistics indicate a minimal impact from security issues.
B) The cost of implementing a security control is less than the value of the assets.
C) The percentage of systems that is compliant with security standards.
D) The audit reports do not reflect any significant findings on security.
5. What is the BEST way to alleviate security team understaffing while retaining the capability in-house?
A) Hire a contractor that would not be included in the permanent headcount
B) Outsource with a security services provider while retaining the control internally
C) Establish a virtual security team from competent employees across the company
D) Provide cross training to minimize the existing resources gap
1. Right Answer: C
Explanation: A systems programmer should not have privileges to modify the access control list (ACL) because this would give the programmer unlimited control over the system. The data owner would request and approve updates to the ACL, but it is not a violation of the separation of duties principle if the data owner has update rights to the ACL. The data custodian and the security administrator could carry out the updates on the ACL since it is part of their duties as delegated to them by the data owner.
2. Right Answer: A
Explanation: Administrative accounts have permission to change data. This is not required for the developers to perform their tasks. Unauthorized change will damage the integrity of the data. Logging all usage of the account, suspending the account and activating only when needed, and requiring that a change request be submitted for each download will not reduce the exposure created by this excessive level of access. Restricting the account to read only access will ensure that the integrity can be maintained while permitting access.
3. Right Answer: B
Explanation: Customers of the organization are the target of phishing attacks. Installing security software or training the organization's staff will be useless. The effort should be put on the customer side.
4. Right Answer: A
Explanation: The best indicator of effective security control is the evidence of little disruption to business operations. Choices B, C and D can support this evidence, but are supplemental to choice A.
5. Right Answer: C
Explanation: While hiring an indirect resource that will not be part of headcount will help to add an extra resource, it usually costs more than a direct employee; thus, it is not cost efficient. Outsourcing may be a more expensive option and can add complexities to the service delivery. Competent security staff can be recruited from other departments e.g., IT. product development, research and development (R&D). By leveraging existing resources, there is a nominal additional cost. It is also a strategic option since the staff may join the team as full members in the future (internal transfer). Development of staff is often a budget drain and, if not managed carefully, these resources may move away from the company and leave the team with a bigger resource gap.
Explanation: A systems programmer should not have privileges to modify the access control list (ACL) because this would give the programmer unlimited control over the system. The data owner would request and approve updates to the ACL, but it is not a violation of the separation of duties principle if the data owner has update rights to the ACL. The data custodian and the security administrator could carry out the updates on the ACL since it is part of their duties as delegated to them by the data owner.
2. Right Answer: A
Explanation: Administrative accounts have permission to change data. This is not required for the developers to perform their tasks. Unauthorized change will damage the integrity of the data. Logging all usage of the account, suspending the account and activating only when needed, and requiring that a change request be submitted for each download will not reduce the exposure created by this excessive level of access. Restricting the account to read only access will ensure that the integrity can be maintained while permitting access.
3. Right Answer: B
Explanation: Customers of the organization are the target of phishing attacks. Installing security software or training the organization's staff will be useless. The effort should be put on the customer side.
4. Right Answer: A
Explanation: The best indicator of effective security control is the evidence of little disruption to business operations. Choices B, C and D can support this evidence, but are supplemental to choice A.
5. Right Answer: C
Explanation: While hiring an indirect resource that will not be part of headcount will help to add an extra resource, it usually costs more than a direct employee; thus, it is not cost efficient. Outsourcing may be a more expensive option and can add complexities to the service delivery. Competent security staff can be recruited from other departments e.g., IT. product development, research and development (R&D). By leveraging existing resources, there is a nominal additional cost. It is also a strategic option since the staff may join the team as full members in the future (internal transfer). Development of staff is often a budget drain and, if not managed carefully, these resources may move away from the company and leave the team with a bigger resource gap.
Tags:
it certification certified it it exams isaca certification isaca cgeit isaca cisa isaca cism isaca cobit 5 isaca crisc isaca questions practice exams pratice quests risc maangement it management it questions isaca answers isaca practice isaca dumps isaca test test questions questins and answer explanation0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment