CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
CISM—Certified Information Security Manager - Part 146
1. Which of the following is generally considered a fundamental component of an information security program?
A) Role-based access control systems
B) Automated access provisioning
C) Security awareness training
D) Intrusion prevention systems (IPSs)
2. How would an organization know if its new information security program is accomplishing its goals?
A) Key metrics indicate a reduction in incident impacts.
B) Senior management has approved the program and is supportive of it.
C) Employees are receptive to changes that were implemented.
D) There is an immediate reduction in reported incidents.
3. A benefit of using a full disclosure (white box) approach as compared to a blind (black box) approach to penetration testing is that:
A) it simulates the real-life situation of an external security attack.
B) human intervention is not required for this type of test.
C) less time is spent on reconnaissance and information gathering.
D) critical infrastructure information is not revealed to the tester.
4. Which of the following is the BEST method to reduce the number of incidents of employees forwarding spam and chain e-mail messages?
A) Acceptable use policy
B) Setting low mailbox limits
C) User awareness training
D) Taking disciplinary action
5. Which of the following is the BEST approach to mitigate online brute-force attacks on user accounts?
A) Passwords stored in encrypted form
B) User awareness
C) Strong passwords that are changed periodically
D) Implementation of lock-out policies
A) Role-based access control systems
B) Automated access provisioning
C) Security awareness training
D) Intrusion prevention systems (IPSs)
2. How would an organization know if its new information security program is accomplishing its goals?
A) Key metrics indicate a reduction in incident impacts.
B) Senior management has approved the program and is supportive of it.
C) Employees are receptive to changes that were implemented.
D) There is an immediate reduction in reported incidents.
3. A benefit of using a full disclosure (white box) approach as compared to a blind (black box) approach to penetration testing is that:
A) it simulates the real-life situation of an external security attack.
B) human intervention is not required for this type of test.
C) less time is spent on reconnaissance and information gathering.
D) critical infrastructure information is not revealed to the tester.
4. Which of the following is the BEST method to reduce the number of incidents of employees forwarding spam and chain e-mail messages?
A) Acceptable use policy
B) Setting low mailbox limits
C) User awareness training
D) Taking disciplinary action
5. Which of the following is the BEST approach to mitigate online brute-force attacks on user accounts?
A) Passwords stored in encrypted form
B) User awareness
C) Strong passwords that are changed periodically
D) Implementation of lock-out policies
1. Right Answer: C
Explanation: Without security awareness training, many components of the security program may not be effectively implemented. The other options may or may not be necessary, but are discretionary.
2. Right Answer: A
Explanation: Option A is correct since an effective security program will show a trend in impact reduction. Options B and C may well derive from a performing program, but are not as significant as option A. Option D may indicate that it is not successful.
3. Right Answer: C
Explanation: Data and information required for penetration are shared with the testers, thus eliminating time that would otherwise have been spent on reconnaissance and gathering of information. Blind (black box) penetration testing is closer to real life than full disclosure (white box) testing. There is no evidence to support that human intervention is not required for this type of test. A full disclosure (white box) methodology requires the knowledge of the subject being tested.
4. Right Answer: C
Explanation: User awareness training would help in reducing the incidents of employees forwarding spam and chain e-mails since users would understand the risks of doing so and the impact on the organization's information system. An acceptable use policy, signed by employees, would legally address the requirements but merely having a policy is not the best measure. Setting low mailbox limits and taking disciplinary action are a reactive approach and may not help in obtaining proper support from employees.
5. Right Answer: D
Explanation: Implementation of account lock-out policies significantly inhibits brute-force attacks. In cases where this is not possible, strong passwords that are changed periodically would be an appropriate choice. Passwords stored in encrypted form will not defeat an online brute-force attack if the password itself is easily guessed. User awareness would help but is not the best approach of the options given.
Explanation: Without security awareness training, many components of the security program may not be effectively implemented. The other options may or may not be necessary, but are discretionary.
2. Right Answer: A
Explanation: Option A is correct since an effective security program will show a trend in impact reduction. Options B and C may well derive from a performing program, but are not as significant as option A. Option D may indicate that it is not successful.
3. Right Answer: C
Explanation: Data and information required for penetration are shared with the testers, thus eliminating time that would otherwise have been spent on reconnaissance and gathering of information. Blind (black box) penetration testing is closer to real life than full disclosure (white box) testing. There is no evidence to support that human intervention is not required for this type of test. A full disclosure (white box) methodology requires the knowledge of the subject being tested.
4. Right Answer: C
Explanation: User awareness training would help in reducing the incidents of employees forwarding spam and chain e-mails since users would understand the risks of doing so and the impact on the organization's information system. An acceptable use policy, signed by employees, would legally address the requirements but merely having a policy is not the best measure. Setting low mailbox limits and taking disciplinary action are a reactive approach and may not help in obtaining proper support from employees.
5. Right Answer: D
Explanation: Implementation of account lock-out policies significantly inhibits brute-force attacks. In cases where this is not possible, strong passwords that are changed periodically would be an appropriate choice. Passwords stored in encrypted form will not defeat an online brute-force attack if the password itself is easily guessed. User awareness would help but is not the best approach of the options given.
Tags:
it certification certified it it exams isaca certification isaca cgeit isaca cisa isaca cism isaca cobit 5 isaca crisc isaca questions practice exams pratice quests risc maangement it management it questions isaca answers isaca practice isaca dumps isaca test test questions questins and answer explanation0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment