CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
CISM—Certified Information Security Manager - Part 145
1. Which of the following is the MOST critical activity to ensure the ongoing security of outsourced IT services?
A) Provide security awareness training to the third-party provider's employees
B) Conduct regular security reviews of the third-party provider
C) Include security requirements in the service contract
D) Request that the third-party provider comply with the organization's information security policy
2. An organization's operations staff places payment files in a shared network folder and then the disbursement staff picks up the files for payment processing. This manual intervention will be automated some months later, thus cost-efficient controls are sought to protect against file alterations. Which of the following would be the BEST solution?
A) Design a training program for the staff involved to heighten information security awareness
B) Set role-based access permissions on the shared folder
C) The end user develops a PC macro program to compare sender and recipient file contents
D) Shared folder operators sign an agreement to pledge not to commit fraudulent activities
3. Which of the following BEST ensures that security risks will be reevaluated when modifications in application developments are made?
A) A problem management process
B) Background screening
C) A change control process
D) Business impact analysis (BIA)
4. Which is the BEST way to measure and prioritize aggregate risk deriving from a chain of linked system vulnerabilities?
A) Vulnerability scans
B) Penetration tests
C) Code reviews
D) Security audits
5. In which of the following system development life cycle (SDLC) phases are access control and encryption algorithms chosen?
A) Procedural design
B) Architectural design
C) System design specifications
D) Software development
A) Provide security awareness training to the third-party provider's employees
B) Conduct regular security reviews of the third-party provider
C) Include security requirements in the service contract
D) Request that the third-party provider comply with the organization's information security policy
2. An organization's operations staff places payment files in a shared network folder and then the disbursement staff picks up the files for payment processing. This manual intervention will be automated some months later, thus cost-efficient controls are sought to protect against file alterations. Which of the following would be the BEST solution?
A) Design a training program for the staff involved to heighten information security awareness
B) Set role-based access permissions on the shared folder
C) The end user develops a PC macro program to compare sender and recipient file contents
D) Shared folder operators sign an agreement to pledge not to commit fraudulent activities
3. Which of the following BEST ensures that security risks will be reevaluated when modifications in application developments are made?
A) A problem management process
B) Background screening
C) A change control process
D) Business impact analysis (BIA)
4. Which is the BEST way to measure and prioritize aggregate risk deriving from a chain of linked system vulnerabilities?
A) Vulnerability scans
B) Penetration tests
C) Code reviews
D) Security audits
5. In which of the following system development life cycle (SDLC) phases are access control and encryption algorithms chosen?
A) Procedural design
B) Architectural design
C) System design specifications
D) Software development
1. Right Answer: B
Explanation: Regular security audits and reviews of the practices of the provider to prevent potential information security damage will help verify the security of outsourced services. Depending on the type of services outsourced, security awareness may not be necessary. Security requirements should be included in the contract, but what is most important is verifying that the requirements are met by the provider. It is not necessary to require the provider to fully comply with the policy if only some of the policy is related and applicable.
2. Right Answer: B
Explanation: Ideally, requesting that the IT department develop an automated integrity check would be desirable, but given the temporary nature of the problem, the risk can be mitigated by setting stringent access permissions on the shared folder. Operations staff should only have write access and disbursement staff should only have read access, and everyone else, including the administrator, should be disallowed. An information security awareness program and/or signing an agreement to not engage in fraudulent activities may help deter attempts made by employees: however, as long as employees see a chance of personal gain when internal control is loose, they may embark on unlawful activities such as alteration of payment files. A PC macro would be an inexpensive automated solution to develop with control reports. However, sound independence or segregation of duties cannot be expected in the reconciliation process since it is run by an end-user group.Therefore, this option may not provide sufficient proof.
3. Right Answer: C
Explanation: A change control process is the methodology that ensures that anything that could be impacted by a development change will be reevaluated. Problem management is the general process intended to manage all problems, not those specifically related to security. Background screening is the process to evaluate employee references when they are hired. BIA is the methodology used to evaluate risks in the business continuity process.
4. Right Answer: B
Explanation: A penetration test is normally the only security assessment that can link vulnerabilities together by exploiting them sequentially. This gives a good measurement and prioritization of risks. Other security assessments such as vulnerability scans, code reviews and security audits can help give an extensive and thorough risk and vulnerability overview', but will not be able to test or demonstrate the final consequence of having several vulnerabilities linked together. Penetration testing can give risk a new perspective and prioritize based on the end result of a sequence of security problems.
5. Right Answer: C
Explanation: The system design specifications phase is when security specifications are identified. The procedural design converts structural components into a procedural description of the software. The architectural design is the phase that identifies the overall system design, hut not the specifics. Software development is too late a stage since this is the phase when the system is already being coded.
Explanation: Regular security audits and reviews of the practices of the provider to prevent potential information security damage will help verify the security of outsourced services. Depending on the type of services outsourced, security awareness may not be necessary. Security requirements should be included in the contract, but what is most important is verifying that the requirements are met by the provider. It is not necessary to require the provider to fully comply with the policy if only some of the policy is related and applicable.
2. Right Answer: B
Explanation: Ideally, requesting that the IT department develop an automated integrity check would be desirable, but given the temporary nature of the problem, the risk can be mitigated by setting stringent access permissions on the shared folder. Operations staff should only have write access and disbursement staff should only have read access, and everyone else, including the administrator, should be disallowed. An information security awareness program and/or signing an agreement to not engage in fraudulent activities may help deter attempts made by employees: however, as long as employees see a chance of personal gain when internal control is loose, they may embark on unlawful activities such as alteration of payment files. A PC macro would be an inexpensive automated solution to develop with control reports. However, sound independence or segregation of duties cannot be expected in the reconciliation process since it is run by an end-user group.Therefore, this option may not provide sufficient proof.
3. Right Answer: C
Explanation: A change control process is the methodology that ensures that anything that could be impacted by a development change will be reevaluated. Problem management is the general process intended to manage all problems, not those specifically related to security. Background screening is the process to evaluate employee references when they are hired. BIA is the methodology used to evaluate risks in the business continuity process.
4. Right Answer: B
Explanation: A penetration test is normally the only security assessment that can link vulnerabilities together by exploiting them sequentially. This gives a good measurement and prioritization of risks. Other security assessments such as vulnerability scans, code reviews and security audits can help give an extensive and thorough risk and vulnerability overview', but will not be able to test or demonstrate the final consequence of having several vulnerabilities linked together. Penetration testing can give risk a new perspective and prioritize based on the end result of a sequence of security problems.
5. Right Answer: C
Explanation: The system design specifications phase is when security specifications are identified. The procedural design converts structural components into a procedural description of the software. The architectural design is the phase that identifies the overall system design, hut not the specifics. Software development is too late a stage since this is the phase when the system is already being coded.
Tags:
it certification certified it it exams isaca certification isaca cgeit isaca cisa isaca cism isaca cobit 5 isaca crisc isaca questions practice exams pratice quests risc maangement it management it questions isaca answers isaca practice isaca dumps isaca test test questions questins and answer explanation0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment