CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
CISM—Certified Information Security Manager - Part 142
1. The management staff of an organization that does not have a dedicated security function decides to use its IT manager to perform a security review. The MAIN job requirement in this arrangement is that the IT manager
A) report risks in other departments.
B) obtain support from other departments.
C) report significant security risks.
D) have knowledge of security standards.
2. An organization has implemented an enterprise resource planning (ERP) system used by 500 employees from various departments. Which of the following access control approaches is MOST appropriate?
A) Rule-based
B) Mandatory
C) Discretionary
D) Role-based
3. An organization plans to contract with an outside service provider to host its corporate web site. The MOST important concern for the information security manager is to ensure that:
A) an audit of the service provider uncovers no significant weakness.
B) the contract includes a nondisclosure agreement (NDA) to protect the organization's intellectual property.
C) the contract should mandate that the service provider will comply with security policies.
D) the third-party service provider conducts regular penetration testing.
4. Which of the following is the MAIN objective in contracting with an external company to perform penetration testing?
A) To mitigate technical risks
B) To have an independent certification of network security
C) To receive an independent view of security exposures
D) To identify a complete list of vulnerabilities
5. A new port needs to be opened in a perimeter firewall. Which of the following should be the FIRST step before initiating any changes?
A) Prepare an impact assessment report.
B) Conduct a penetration test.
C) Obtain approval from senior management.
D) Back up the firewall configuration and policy files.
A) report risks in other departments.
B) obtain support from other departments.
C) report significant security risks.
D) have knowledge of security standards.
2. An organization has implemented an enterprise resource planning (ERP) system used by 500 employees from various departments. Which of the following access control approaches is MOST appropriate?
A) Rule-based
B) Mandatory
C) Discretionary
D) Role-based
3. An organization plans to contract with an outside service provider to host its corporate web site. The MOST important concern for the information security manager is to ensure that:
A) an audit of the service provider uncovers no significant weakness.
B) the contract includes a nondisclosure agreement (NDA) to protect the organization's intellectual property.
C) the contract should mandate that the service provider will comply with security policies.
D) the third-party service provider conducts regular penetration testing.
4. Which of the following is the MAIN objective in contracting with an external company to perform penetration testing?
A) To mitigate technical risks
B) To have an independent certification of network security
C) To receive an independent view of security exposures
D) To identify a complete list of vulnerabilities
5. A new port needs to be opened in a perimeter firewall. Which of the following should be the FIRST step before initiating any changes?
A) Prepare an impact assessment report.
B) Conduct a penetration test.
C) Obtain approval from senior management.
D) Back up the firewall configuration and policy files.
1. Right Answer: C
Explanation: The IT manager needs to report the security risks in the environment pursuant to the security review, including risks in the IT implementation. Choices A, B and D are important, but not the main responsibilities or job requirements.
2. Right Answer: D
Explanation: Role-based access control is effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles. Rule-based access control needs to define the access rules, which is troublesome and error prone in large organizations. In mandatory access control, the individual's access to information resources needs to be defined, which is troublesome in large organizations. In discretionary access control, users have access to resources based on predefined sets of principles, which is an inherently insecure approach.
3. Right Answer: C
Explanation: It is critical to include the security requirements in the contract based ON the company's security policy to ensure that the necessary security controls are implemented by the service provider. The audit is normally a one-time effort and cannot provide ongoing assurance of the security. A nondisclosure agreement(NDA) should be part of the contract; however, it is not critical to the security of the web site. Penetration testing alone would not provide total security to the web site; there are lots of controls that cannot be tested through penetration testing.
4. Right Answer: C
Explanation: Even though the organization may have the capability to perform penetration testing with internal resources, third-party penetration testing should be performed to gain an independent view of the security exposure. Mitigating technical risks is not a direct result of a penetration test. A penetration test would not provide certification of network security nor provide a complete list of vulnerabilities.
5. Right Answer: A
Explanation: An impact assessment report needs to be prepared first by providing the justification for the change, analysis of the changes to be made, the impact if the change does not work as expected, priority of the change and urgency of the change request. Choices B. C and D could be important steps, but the impact assessment report should be performed before the other steps.
Explanation: The IT manager needs to report the security risks in the environment pursuant to the security review, including risks in the IT implementation. Choices A, B and D are important, but not the main responsibilities or job requirements.
2. Right Answer: D
Explanation: Role-based access control is effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles. Rule-based access control needs to define the access rules, which is troublesome and error prone in large organizations. In mandatory access control, the individual's access to information resources needs to be defined, which is troublesome in large organizations. In discretionary access control, users have access to resources based on predefined sets of principles, which is an inherently insecure approach.
3. Right Answer: C
Explanation: It is critical to include the security requirements in the contract based ON the company's security policy to ensure that the necessary security controls are implemented by the service provider. The audit is normally a one-time effort and cannot provide ongoing assurance of the security. A nondisclosure agreement(NDA) should be part of the contract; however, it is not critical to the security of the web site. Penetration testing alone would not provide total security to the web site; there are lots of controls that cannot be tested through penetration testing.
4. Right Answer: C
Explanation: Even though the organization may have the capability to perform penetration testing with internal resources, third-party penetration testing should be performed to gain an independent view of the security exposure. Mitigating technical risks is not a direct result of a penetration test. A penetration test would not provide certification of network security nor provide a complete list of vulnerabilities.
5. Right Answer: A
Explanation: An impact assessment report needs to be prepared first by providing the justification for the change, analysis of the changes to be made, the impact if the change does not work as expected, priority of the change and urgency of the change request. Choices B. C and D could be important steps, but the impact assessment report should be performed before the other steps.
Tags:
it certification certified it it exams isaca certification isaca cgeit isaca cisa isaca cism isaca cobit 5 isaca crisc isaca questions practice exams pratice quests risc maangement it management it questions isaca answers isaca practice isaca dumps isaca test test questions questins and answer explanation0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment