CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
CISM—Certified Information Security Manager - Part 44
1. Based on the information provided, which of the following situations presents the GREATEST information security risk for an organization with multiple, but small, domestic processing locations?
A) Systems operation procedures are not enforced
B) Change management procedures are poor
C) Systems development is outsourced
D) Systems capacity management is not performed
2. Which of the following BEST describes the scope of risk analysis?
A) Key financial systems
B) Organizational activities
C) Key systems and infrastructure
D) Systems subject to regulatory compliance
3. The decision as to whether a risk has been reduced to an acceptable level should be determined by:
A) organizational requirements.
B) information systems requirements.
C) information security requirements.
D) international standards.
4. Which of the following is the PRIMARY reason for implementing a risk management program?
A) Allows the organization to eliminate risk
B) Is a necessary part of management's due diligence
C) Satisfies audit and regulatory requirements
D) Assists in incrementing the return on investment (ROD
5. Which of the following groups would be in the BEST position to perform a risk analysis for a business?
A) External auditors
B) A peer group within a similar business
C) Process owners
D) A specialized management consultant
A) Systems operation procedures are not enforced
B) Change management procedures are poor
C) Systems development is outsourced
D) Systems capacity management is not performed
2. Which of the following BEST describes the scope of risk analysis?
A) Key financial systems
B) Organizational activities
C) Key systems and infrastructure
D) Systems subject to regulatory compliance
3. The decision as to whether a risk has been reduced to an acceptable level should be determined by:
A) organizational requirements.
B) information systems requirements.
C) information security requirements.
D) international standards.
4. Which of the following is the PRIMARY reason for implementing a risk management program?
A) Allows the organization to eliminate risk
B) Is a necessary part of management's due diligence
C) Satisfies audit and regulatory requirements
D) Assists in incrementing the return on investment (ROD
5. Which of the following groups would be in the BEST position to perform a risk analysis for a business?
A) External auditors
B) A peer group within a similar business
C) Process owners
D) A specialized management consultant
1. Right Answer: B
Explanation: The lack of change management is a severe omission and will greatly increase information security risk. Since procedures are generally nonauthoritative, their lack of enforcement is not a primary concern. Systems that are developed by third-party vendors are becoming commonplace and do not represent an increase in security risk as much as poor change management. Poor capacity management may not necessarily represent a security risk.
2. Right Answer: B
Explanation: Risk analysis should include all organizational activities. It should not be limited to subsets of systems or just systems and infrastructure.
3. Right Answer: A
Explanation: Organizational requirements should determine when a risk has been reduced to an acceptable level. Information systems and information security should not make the ultimate determination. Since each organization is unique, international standards of best practice do not represent the best solution.
4. Right Answer: B
Explanation: The key reason for performing risk management is that it is part of management's due diligence. The elimination of all risk is not possible. Satisfying audit and regulatory requirements is of secondary importance. A risk management program may or may not increase the return on investment (ROD.
5. Right Answer: C
Explanation: Process owners have the most in-depth knowledge of risks and compensating controls within their environment. External parties do not have that level of detailed knowledge on the inner workings of the business. Management consultants are expected to have the necessary skills in risk analysis techniques but are still less effective than a group with intimate knowledge of the business.
Explanation: The lack of change management is a severe omission and will greatly increase information security risk. Since procedures are generally nonauthoritative, their lack of enforcement is not a primary concern. Systems that are developed by third-party vendors are becoming commonplace and do not represent an increase in security risk as much as poor change management. Poor capacity management may not necessarily represent a security risk.
2. Right Answer: B
Explanation: Risk analysis should include all organizational activities. It should not be limited to subsets of systems or just systems and infrastructure.
3. Right Answer: A
Explanation: Organizational requirements should determine when a risk has been reduced to an acceptable level. Information systems and information security should not make the ultimate determination. Since each organization is unique, international standards of best practice do not represent the best solution.
4. Right Answer: B
Explanation: The key reason for performing risk management is that it is part of management's due diligence. The elimination of all risk is not possible. Satisfying audit and regulatory requirements is of secondary importance. A risk management program may or may not increase the return on investment (ROD.
5. Right Answer: C
Explanation: Process owners have the most in-depth knowledge of risks and compensating controls within their environment. External parties do not have that level of detailed knowledge on the inner workings of the business. Management consultants are expected to have the necessary skills in risk analysis techniques but are still less effective than a group with intimate knowledge of the business.
Tags:
it certification certified it it exams isaca certification isaca cgeit isaca cisa isaca cism isaca cobit 5 isaca crisc isaca questions practice exams pratice quests risc maangement it management it questions isaca answers isaca practice isaca dumps isaca test test questions questins and answer explanation0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment