CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
CISM—Certified Information Security Manager - Part 51
1. Which of the following would a security manager establish to determine the target for restoration of normal processing?
A) Recover time objective (RTO)
B) Maximum tolerable outage (MTO)
C) Recovery point objectives (RPOs)
D) Services delivery objectives (SDOs)
2. A risk management program would be expected to:
A) remove all inherent risk.
B) maintain residual risk at an acceptable level.
C) implement preventive controls for every threat.
D) reduce control risk to zero.
3. Risk assessment should be built into which of the following systems development phases to ensure that risks are addressed in a development project?
A) Programming
B) Specification
C) User testing
D) Feasibility
4. Which of the following would help management determine the resources needed to mitigate a risk to the organization?
A) Risk analysis process
B) Business impact analysis (BIA)
C) Risk management balanced scorecard
D) Risk-based audit program
5. A global financial institution has decided not to take any further action on a denial of service (DoS) risk found by the risk assessment team. The MOST likely reason they made this decision is that:
A) there are sufficient safeguards in place to prevent this risk from happening.
B) the needed countermeasure is too complicated to deploy.
C) the cost of countermeasure outweighs the value of the asset and potential loss.
D) The likelihood of the risk occurring is unknown.
A) Recover time objective (RTO)
B) Maximum tolerable outage (MTO)
C) Recovery point objectives (RPOs)
D) Services delivery objectives (SDOs)
2. A risk management program would be expected to:
A) remove all inherent risk.
B) maintain residual risk at an acceptable level.
C) implement preventive controls for every threat.
D) reduce control risk to zero.
3. Risk assessment should be built into which of the following systems development phases to ensure that risks are addressed in a development project?
A) Programming
B) Specification
C) User testing
D) Feasibility
4. Which of the following would help management determine the resources needed to mitigate a risk to the organization?
A) Risk analysis process
B) Business impact analysis (BIA)
C) Risk management balanced scorecard
D) Risk-based audit program
5. A global financial institution has decided not to take any further action on a denial of service (DoS) risk found by the risk assessment team. The MOST likely reason they made this decision is that:
A) there are sufficient safeguards in place to prevent this risk from happening.
B) the needed countermeasure is too complicated to deploy.
C) the cost of countermeasure outweighs the value of the asset and potential loss.
D) The likelihood of the risk occurring is unknown.
1. Right Answer: A
Explanation: Recovery time objective (RTO) is the length of time from the moment of an interruption until the time the process must be functioning at a service level sufficient to limit financial and operational impacts to an acceptable level. Maximum tolerable outage (MTO) is the maximum time for which an organization can operate in a reduced mode. Recovery point objectives (RPOs) relate to the age of the data required for recovery. Services delivery objectives (SDOs) are the levels of service required in reduced mode.
2. Right Answer: B
Explanation: The object of risk management is to ensure that all residual risk is maintained at a level acceptable to the business; it is not intended to remove every identified risk or implement controls for every threat since this may not be cost-effective. Control risk, i.e., that a control may not be effective, is a component of the program but is unlikely to be reduced to zero.
3. Right Answer: D
Explanation: Risk should be addressed as early as possible in the development cycle. The feasibility study should include risk assessment so that the cost of controls can be estimated before the project proceeds. Risk should also be considered in the specification phase where the controls are designed, but this would still be based on the assessment carried out in the feasibility study. Assessment would not be relevant in choice A or C.
4. Right Answer: B
Explanation: The business impact analysis (BIA) determines the possible outcome of a risk and is essential to determine the appropriate cost of control. The risk analysis process provides comprehensive data, but does not determine definite resources to mitigate the risk as does the BIA. The risk management balanced scorecard is a measuring tool for goal attainment. A risk-based audit program is used to focus the audit process on the areas of greatest importance to the organization.
5. Right Answer: C
Explanation: An organization may decide to live with specific risks because it would cost more to protect themselves than the value of the potential loss. The safeguards need to match the risk level. While countermeasures could be too complicated to deploy, this is not the most compelling reason. It is unlikely that a global financial institution would not be exposed to such attacks and the frequency could not be predicted.
Explanation: Recovery time objective (RTO) is the length of time from the moment of an interruption until the time the process must be functioning at a service level sufficient to limit financial and operational impacts to an acceptable level. Maximum tolerable outage (MTO) is the maximum time for which an organization can operate in a reduced mode. Recovery point objectives (RPOs) relate to the age of the data required for recovery. Services delivery objectives (SDOs) are the levels of service required in reduced mode.
2. Right Answer: B
Explanation: The object of risk management is to ensure that all residual risk is maintained at a level acceptable to the business; it is not intended to remove every identified risk or implement controls for every threat since this may not be cost-effective. Control risk, i.e., that a control may not be effective, is a component of the program but is unlikely to be reduced to zero.
3. Right Answer: D
Explanation: Risk should be addressed as early as possible in the development cycle. The feasibility study should include risk assessment so that the cost of controls can be estimated before the project proceeds. Risk should also be considered in the specification phase where the controls are designed, but this would still be based on the assessment carried out in the feasibility study. Assessment would not be relevant in choice A or C.
4. Right Answer: B
Explanation: The business impact analysis (BIA) determines the possible outcome of a risk and is essential to determine the appropriate cost of control. The risk analysis process provides comprehensive data, but does not determine definite resources to mitigate the risk as does the BIA. The risk management balanced scorecard is a measuring tool for goal attainment. A risk-based audit program is used to focus the audit process on the areas of greatest importance to the organization.
5. Right Answer: C
Explanation: An organization may decide to live with specific risks because it would cost more to protect themselves than the value of the potential loss. The safeguards need to match the risk level. While countermeasures could be too complicated to deploy, this is not the most compelling reason. It is unlikely that a global financial institution would not be exposed to such attacks and the frequency could not be predicted.
Tags:
it certification certified it it exams isaca certification isaca cgeit isaca cisa isaca cism isaca cobit 5 isaca crisc isaca questions practice exams pratice quests risc maangement it management it questions isaca answers isaca practice isaca dumps isaca test test questions questins and answer explanation0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment