CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
CISM—Certified Information Security Manager - Part 144
1. An effective way of protecting applications against Structured Query Language (SQL) injection vulnerability is to:
A) validate and sanitize client side inputs.
B) harden the database listener component.
C) normalize the database schema to the third normal form.
D) ensure that the security patches are updated on operating systems.
2. The root cause of a successful cross site request forgery (XSRF) attack against an application is that the vulnerable application:
A) uses multiple redirects for completing a data commit transaction.
B) has implemented cookies as the sole authentication mechanism.
C) has been installed with a non-legitimate license key.
D) is hosted on a server along with other applications.
3. Of the following, retention of business records should be PRIMARILY based on:
A) periodic vulnerability assessment.
B) regulatory and legal requirements.
C) device storage capacity and longevity.
D) past litigation.
4. An organization is entering into an agreement with a new business partner to conduct customer mailings. What is the MOST important action that the information security manager needs to perform?
A) A due diligence security review of the business partner's security controls
B) Ensuring that the business partner has an effective business continuity program
C) Ensuring that the third party is contractually obligated to all relevant security requirements
D) Talking to other clients of the business partner to check references for performance
5. An organization that outsourced its payroll processing performed an independent assessment of the security controls of the third party, per policy requirements.Which of the following is the MOST useful requirement to include in the contract?
A) Right to audit
B) Nondisclosure agreement
C) Proper firewall implementation
D) Dedicated security manager for monitoring compliance
A) validate and sanitize client side inputs.
B) harden the database listener component.
C) normalize the database schema to the third normal form.
D) ensure that the security patches are updated on operating systems.
2. The root cause of a successful cross site request forgery (XSRF) attack against an application is that the vulnerable application:
A) uses multiple redirects for completing a data commit transaction.
B) has implemented cookies as the sole authentication mechanism.
C) has been installed with a non-legitimate license key.
D) is hosted on a server along with other applications.
3. Of the following, retention of business records should be PRIMARILY based on:
A) periodic vulnerability assessment.
B) regulatory and legal requirements.
C) device storage capacity and longevity.
D) past litigation.
4. An organization is entering into an agreement with a new business partner to conduct customer mailings. What is the MOST important action that the information security manager needs to perform?
A) A due diligence security review of the business partner's security controls
B) Ensuring that the business partner has an effective business continuity program
C) Ensuring that the third party is contractually obligated to all relevant security requirements
D) Talking to other clients of the business partner to check references for performance
5. An organization that outsourced its payroll processing performed an independent assessment of the security controls of the third party, per policy requirements.Which of the following is the MOST useful requirement to include in the contract?
A) Right to audit
B) Nondisclosure agreement
C) Proper firewall implementation
D) Dedicated security manager for monitoring compliance
1. Right Answer: A
Explanation: SQL injection vulnerability arises when crafted or malformed user inputs are substituted directly in SQL queries, resulting into information leakage. Hardening the database listener does enhance the security of the database; however, it is unrelated to the SQL injection vulnerability. Normalization is related to the effectiveness and efficiency of the database but not to SQL injection vulnerability. SQL injections may also be observed in normalized databases. SQL injection vulnerability exploits the SQL query design, not the operating system.
2. Right Answer: B
Explanation: XSRF exploits inadequate authentication mechanisms in web applications that rely only on elements such as cookies when performing a transaction. XSRF is related to an authentication mechanism, not to redirection. Option C is related to intellectual property rights, not to XSRF vulnerability. Merely hosting multiple applications on the same server is not the root cause of this vulnerability.
3. Right Answer: B
Explanation: Retention of business records is a business requirement that must consider regulatory and legal requirements based on geographic location and industry. OptionsA and C are important elements for making the decision, but the primary driver is the legal and regulatory requirements that need to be followed by all companies.Record retention may take into consideration past litigation, but it should not be the primary decision factor.
4. Right Answer: C
Explanation: The key requirement is that the information security manager ensures that the third party is contractually bound to follow the appropriate security requirements for the process being outsourced. This protects both organizations. All other steps are contributory to the contractual agreement, but are not key.
5. Right Answer: A
Explanation: Right to audit would be the most useful requirement since this would provide the company the ability to perform a security audit/assessment whenever there is a business need to examine whether the controls are working effectively at the third party. Options B, C and D are important requirements and can be examined during the audit. A dedicated security manager would be a costly solution and not always feasible for most situations.
Explanation: SQL injection vulnerability arises when crafted or malformed user inputs are substituted directly in SQL queries, resulting into information leakage. Hardening the database listener does enhance the security of the database; however, it is unrelated to the SQL injection vulnerability. Normalization is related to the effectiveness and efficiency of the database but not to SQL injection vulnerability. SQL injections may also be observed in normalized databases. SQL injection vulnerability exploits the SQL query design, not the operating system.
2. Right Answer: B
Explanation: XSRF exploits inadequate authentication mechanisms in web applications that rely only on elements such as cookies when performing a transaction. XSRF is related to an authentication mechanism, not to redirection. Option C is related to intellectual property rights, not to XSRF vulnerability. Merely hosting multiple applications on the same server is not the root cause of this vulnerability.
3. Right Answer: B
Explanation: Retention of business records is a business requirement that must consider regulatory and legal requirements based on geographic location and industry. OptionsA and C are important elements for making the decision, but the primary driver is the legal and regulatory requirements that need to be followed by all companies.Record retention may take into consideration past litigation, but it should not be the primary decision factor.
4. Right Answer: C
Explanation: The key requirement is that the information security manager ensures that the third party is contractually bound to follow the appropriate security requirements for the process being outsourced. This protects both organizations. All other steps are contributory to the contractual agreement, but are not key.
5. Right Answer: A
Explanation: Right to audit would be the most useful requirement since this would provide the company the ability to perform a security audit/assessment whenever there is a business need to examine whether the controls are working effectively at the third party. Options B, C and D are important requirements and can be examined during the audit. A dedicated security manager would be a costly solution and not always feasible for most situations.
Tags:
it certification certified it it exams isaca certification isaca cgeit isaca cisa isaca cism isaca cobit 5 isaca crisc isaca questions practice exams pratice quests risc maangement it management it questions isaca answers isaca practice isaca dumps isaca test test questions questins and answer explanation0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment