CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
CISM—Certified Information Security Manager - Part 39
1. A successful information security management program should use which of the following to determine the amount of resources devoted to mitigating exposures?
A) Risk analysis results
B) Audit report findings
C) Penetration test results
D) Amount of IT budget available
2. Which of the following will BEST protect an organization from internal security attacks?
A) Static IP addressing
B) Internal address translation
C) Prospective employee background checks
D) Employee awareness certification program
3. For risk management purposes, the value of an asset should be based on:
A) original cost.
B) net cash flow.
C) net present value.
D) replacement cost.
4. In a business impact analysis, the value of an information system should be based on the overall cost:
A) of recovery.
B) to recreate.
C) if unavailable.
D) of emergency operations.
5. Acceptable risk is achieved when:
A) residual risk is minimized.
B) transferred risk is minimized.
C) control risk is minimized.
D) inherent risk is minimized.
A) Risk analysis results
B) Audit report findings
C) Penetration test results
D) Amount of IT budget available
2. Which of the following will BEST protect an organization from internal security attacks?
A) Static IP addressing
B) Internal address translation
C) Prospective employee background checks
D) Employee awareness certification program
3. For risk management purposes, the value of an asset should be based on:
A) original cost.
B) net cash flow.
C) net present value.
D) replacement cost.
4. In a business impact analysis, the value of an information system should be based on the overall cost:
A) of recovery.
B) to recreate.
C) if unavailable.
D) of emergency operations.
5. Acceptable risk is achieved when:
A) residual risk is minimized.
B) transferred risk is minimized.
C) control risk is minimized.
D) inherent risk is minimized.
1. Right Answer: A
Explanation: Risk analysis results are the most useful and complete source of information for determining the amount of resources to devote to mitigating exposures. Audit report findings may not address all risks and do not address annual loss frequency. Penetration test results provide only a limited view of exposures, while the IT budget is not tied to the exposures faced by the organization.
2. Right Answer: C
Explanation: Because past performance is a strong predictor of future performance, background checks of prospective employees best prevents attacks from originating within an organization. Static IP addressing does little to prevent an internal attack. Internal address translation using non-routable addresses is useful against external attacks but not against internal attacks. Employees who certify that they have read security policies are desirable, but this does not guarantee that the employees behave honestly.
3. Right Answer: D
Explanation: The value of a physical asset should be based on its replacement cost since this is the amount that would be needed to replace the asset if it were to become damaged or destroyed. Original cost may be significantly different than the current cost of replacing the asset. Net cash flow and net present value do not accurately reflect the true value of the asset.
4. Right Answer: C
Explanation: The value of an information system should be based on the cost incurred if the system were to become unavailable. The cost to design or recreate the system is not as relevant since a business impact analysis measures the impact that would occur if an information system were to become unavailable. Similarly, the cost of emergency operations is not as relevant.
5. Right Answer: A
Explanation: Residual risk is the risk that remains after putting into place an effective risk management program; therefore, acceptable risk is achieved when this amount is minimized. Transferred risk is risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk. Control risk is the risk that controls may not prevent/detect an incident with a measure of control effectiveness. Inherent risk cannot be minimized.
Explanation: Risk analysis results are the most useful and complete source of information for determining the amount of resources to devote to mitigating exposures. Audit report findings may not address all risks and do not address annual loss frequency. Penetration test results provide only a limited view of exposures, while the IT budget is not tied to the exposures faced by the organization.
2. Right Answer: C
Explanation: Because past performance is a strong predictor of future performance, background checks of prospective employees best prevents attacks from originating within an organization. Static IP addressing does little to prevent an internal attack. Internal address translation using non-routable addresses is useful against external attacks but not against internal attacks. Employees who certify that they have read security policies are desirable, but this does not guarantee that the employees behave honestly.
3. Right Answer: D
Explanation: The value of a physical asset should be based on its replacement cost since this is the amount that would be needed to replace the asset if it were to become damaged or destroyed. Original cost may be significantly different than the current cost of replacing the asset. Net cash flow and net present value do not accurately reflect the true value of the asset.
4. Right Answer: C
Explanation: The value of an information system should be based on the cost incurred if the system were to become unavailable. The cost to design or recreate the system is not as relevant since a business impact analysis measures the impact that would occur if an information system were to become unavailable. Similarly, the cost of emergency operations is not as relevant.
5. Right Answer: A
Explanation: Residual risk is the risk that remains after putting into place an effective risk management program; therefore, acceptable risk is achieved when this amount is minimized. Transferred risk is risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk. Control risk is the risk that controls may not prevent/detect an incident with a measure of control effectiveness. Inherent risk cannot be minimized.
Tags:
it certification certified it it exams isaca certification isaca cgeit isaca cisa isaca cism isaca cobit 5 isaca crisc isaca questions practice exams pratice quests risc maangement it management it questions isaca answers isaca practice isaca dumps isaca test test questions questins and answer explanation0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment