CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
CISM—Certified Information Security Manager - Part 55
1. Which of the following measures would be MOST effective against insider threats to confidential information?
A) Role-based access control
B) Audit trail monitoring
C) Privacy policy
D) Defense-in-depth
2. Because of its importance to the business, an organization wants to quickly implement a technical solution which deviates from the company's policies. An information security manager should:
A) conduct a risk assessment and allow or disallow based on the outcome.
B) recommend a risk assessment and implementation only if the residual risks are accepted.
C) recommend against implementation because it violates the company's policies.
D) recommend revision of current policy.
3. After a risk assessment study, a bank with global operations decided to continue doing business in certain regions of the world where identity theft is rampant. The information security manager should encourage the business to:
A) increase its customer awareness efforts in those regions.
B) implement monitoring techniques to detect and react to potential fraud.
C) outsource credit card processing to a third party.
D) make the customer liable for losses if they fail to follow the bank's advice.
4. The criticality and sensitivity of information assets is determined on the basis of:
A) threat assessment.
B) vulnerability assessment.
C) resource dependency assessment.
D) impact assessment.
5. Which program element should be implemented FIRST in asset classification and control?
A) Risk assessment
B) Classification
C) Valuation
D) Risk mitigation
A) Role-based access control
B) Audit trail monitoring
C) Privacy policy
D) Defense-in-depth
2. Because of its importance to the business, an organization wants to quickly implement a technical solution which deviates from the company's policies. An information security manager should:
A) conduct a risk assessment and allow or disallow based on the outcome.
B) recommend a risk assessment and implementation only if the residual risks are accepted.
C) recommend against implementation because it violates the company's policies.
D) recommend revision of current policy.
3. After a risk assessment study, a bank with global operations decided to continue doing business in certain regions of the world where identity theft is rampant. The information security manager should encourage the business to:
A) increase its customer awareness efforts in those regions.
B) implement monitoring techniques to detect and react to potential fraud.
C) outsource credit card processing to a third party.
D) make the customer liable for losses if they fail to follow the bank's advice.
4. The criticality and sensitivity of information assets is determined on the basis of:
A) threat assessment.
B) vulnerability assessment.
C) resource dependency assessment.
D) impact assessment.
5. Which program element should be implemented FIRST in asset classification and control?
A) Risk assessment
B) Classification
C) Valuation
D) Risk mitigation
1. Right Answer: A
Explanation: Role-based access control provides access according to business needs; therefore, it reduces unnecessary- access rights and enforces accountability. Audit trail monitoring is a detective control, which is 'after the fact.' Privacy policy is not relevant to this risk. Defense-in-depth primarily focuses on external threats
2. Right Answer: B
Explanation: Whenever the company's policies cannot be followed, a risk assessment should be conducted to clarify the risks. It is then up to management to accept the risks or to mitigate them. Management determines the level of risk they are willing to take. Recommending revision of current policy should not be triggered by a single request.
3. Right Answer: B
Explanation: While customer awareness will help mitigate the risks, this is insufficient on its own to control fraud risk. Implementing monitoring techniques which will detect and deal with potential fraud cases is the most effective way to deal with this risk. If the bank outsources its processing, the bank still retains liability. While making the customer liable for losses is a possible approach, nevertheless, the bank needs to be seen to be proactive in managing its risks.
4. Right Answer: D
Explanation: The criticality and sensitivity of information assets depends on the impact of the probability of the threats exploiting vulnerabilities in the asset, and takes into consideration the value of the assets and the impairment of the value. Threat assessment lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value. Vulnerability assessment lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value. Resource dependency assessment provides process needs but not impact.
5. Right Answer: C
Explanation: Valuation is performed first to identify and understand the assets needing protection. Risk assessment is performed to identify and quantify threats to information assets that are selected by the first step, valuation. Classification and risk mitigation are steps following valuation.
Explanation: Role-based access control provides access according to business needs; therefore, it reduces unnecessary- access rights and enforces accountability. Audit trail monitoring is a detective control, which is 'after the fact.' Privacy policy is not relevant to this risk. Defense-in-depth primarily focuses on external threats
2. Right Answer: B
Explanation: Whenever the company's policies cannot be followed, a risk assessment should be conducted to clarify the risks. It is then up to management to accept the risks or to mitigate them. Management determines the level of risk they are willing to take. Recommending revision of current policy should not be triggered by a single request.
3. Right Answer: B
Explanation: While customer awareness will help mitigate the risks, this is insufficient on its own to control fraud risk. Implementing monitoring techniques which will detect and deal with potential fraud cases is the most effective way to deal with this risk. If the bank outsources its processing, the bank still retains liability. While making the customer liable for losses is a possible approach, nevertheless, the bank needs to be seen to be proactive in managing its risks.
4. Right Answer: D
Explanation: The criticality and sensitivity of information assets depends on the impact of the probability of the threats exploiting vulnerabilities in the asset, and takes into consideration the value of the assets and the impairment of the value. Threat assessment lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value. Vulnerability assessment lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value. Resource dependency assessment provides process needs but not impact.
5. Right Answer: C
Explanation: Valuation is performed first to identify and understand the assets needing protection. Risk assessment is performed to identify and quantify threats to information assets that are selected by the first step, valuation. Classification and risk mitigation are steps following valuation.
Tags:
it certification certified it it exams isaca certification isaca cgeit isaca cisa isaca cism isaca cobit 5 isaca crisc isaca questions practice exams pratice quests risc maangement it management it questions isaca answers isaca practice isaca dumps isaca test test questions questins and answer explanation0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment