CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
CISM—Certified Information Security Manager - Part 56
1. When performing a risk assessment, the MOST important consideration is that:
A) management supports risk mitigation efforts.
B) annual loss expectations (ALEs) have been calculated for critical assets.
C) assets have been identified and appropriately valued.
D) attack motives, means and opportunities be understood.
2. The MAIN reason why asset classification is important to a successful information security program is because classification determines:
A) the priority and extent of risk mitigation efforts.
B) the amount of insurance needed in case of loss.
C) the appropriate level of protection to the asset.
D) how protection levels compare to peer organizations.
3. The BEST strategy for risk management is to:
A) achieve a balance between risk and organizational goals.
B) reduce risk to an acceptable level.
C) ensure that policy development properly considers organizational risks.
D) ensure that all unmitigated risks are accepted by management.
4. Which of the following would be the MOST important factor to be considered in the loss of mobile equipment with unencrypted data?
A) Disclosure of personal information
B) Sufficient coverage of the insurance policy for accidental losses
C) Intrinsic value of the data stored on the equipment
D) Replacement cost of the equipment
5. An organization has to comply with recently published industry regulatory requirements '' compliance that potentially has high implementation costs. What should the information security manager do FIRST?
A) Implement a security committee.
B) Perform a gap analysis.
C) Implement compensating controls.
D) Demand immediate compliance.
A) management supports risk mitigation efforts.
B) annual loss expectations (ALEs) have been calculated for critical assets.
C) assets have been identified and appropriately valued.
D) attack motives, means and opportunities be understood.
2. The MAIN reason why asset classification is important to a successful information security program is because classification determines:
A) the priority and extent of risk mitigation efforts.
B) the amount of insurance needed in case of loss.
C) the appropriate level of protection to the asset.
D) how protection levels compare to peer organizations.
3. The BEST strategy for risk management is to:
A) achieve a balance between risk and organizational goals.
B) reduce risk to an acceptable level.
C) ensure that policy development properly considers organizational risks.
D) ensure that all unmitigated risks are accepted by management.
4. Which of the following would be the MOST important factor to be considered in the loss of mobile equipment with unencrypted data?
A) Disclosure of personal information
B) Sufficient coverage of the insurance policy for accidental losses
C) Intrinsic value of the data stored on the equipment
D) Replacement cost of the equipment
5. An organization has to comply with recently published industry regulatory requirements '' compliance that potentially has high implementation costs. What should the information security manager do FIRST?
A) Implement a security committee.
B) Perform a gap analysis.
C) Implement compensating controls.
D) Demand immediate compliance.
1. Right Answer: C
Explanation: Identification and valuation of assets provides the basis for risk management efforts as it relates to the criticality and sensitivity of assets. Management support is always important, but is not relevant when determining the proportionality of risk management efforts. ALE calculations are only valid if assets have first been identified and appropriately valued. Motives, means and opportunities should already be factored in as a part of a risk assessment.
2. Right Answer: C
Explanation: Protection should be proportional to the value of the asset. Classification is based upon the value of the asset to the organization. The amount of insurance needed in case of loss may not be applicable in each case. Peer organizations may have different classification schemes for their assets.
3. Right Answer: B
Explanation: The best strategy for risk management is to reduce risk to an acceptable level, as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk. Achieving balance between risk and organizational goals is not always practical. Policy development must consider organizational risks as well as business objectives. It may be prudent to ensure that management understands and accepts risks that it is not willing to mitigate, but that is a practice and is not sufficient to l>e considered a strategy.
4. Right Answer: C
Explanation: When mobile equipment is lost or stolen, the information contained on the equipment matters most in determining the impact of the loss. The more sensitive the information, the greater the liability. If staff carries mobile equipment for business purposes, an organization must develop a clear policy as to what information should be kept on the equipment and for what purpose. Personal information is not defined in the question as the data that were lost. Insurance may be a relatively smaller issue as compared with information theft or opportunity loss, although insurance is also an important factor for a successful business. Cost of equipment would be a less important issue as compared with other choices.
5. Right Answer: B
Explanation: Since they are regulatory requirements, a gap analysis would be the first step to determine the level of compliance already in place. Implementing a security committee or compensating controls would not be the first step. Demanding immediate compliance would not assess the situation.
Explanation: Identification and valuation of assets provides the basis for risk management efforts as it relates to the criticality and sensitivity of assets. Management support is always important, but is not relevant when determining the proportionality of risk management efforts. ALE calculations are only valid if assets have first been identified and appropriately valued. Motives, means and opportunities should already be factored in as a part of a risk assessment.
2. Right Answer: C
Explanation: Protection should be proportional to the value of the asset. Classification is based upon the value of the asset to the organization. The amount of insurance needed in case of loss may not be applicable in each case. Peer organizations may have different classification schemes for their assets.
3. Right Answer: B
Explanation: The best strategy for risk management is to reduce risk to an acceptable level, as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk. Achieving balance between risk and organizational goals is not always practical. Policy development must consider organizational risks as well as business objectives. It may be prudent to ensure that management understands and accepts risks that it is not willing to mitigate, but that is a practice and is not sufficient to l>e considered a strategy.
4. Right Answer: C
Explanation: When mobile equipment is lost or stolen, the information contained on the equipment matters most in determining the impact of the loss. The more sensitive the information, the greater the liability. If staff carries mobile equipment for business purposes, an organization must develop a clear policy as to what information should be kept on the equipment and for what purpose. Personal information is not defined in the question as the data that were lost. Insurance may be a relatively smaller issue as compared with information theft or opportunity loss, although insurance is also an important factor for a successful business. Cost of equipment would be a less important issue as compared with other choices.
5. Right Answer: B
Explanation: Since they are regulatory requirements, a gap analysis would be the first step to determine the level of compliance already in place. Implementing a security committee or compensating controls would not be the first step. Demanding immediate compliance would not assess the situation.
Tags:
it certification certified it it exams isaca certification isaca cgeit isaca cisa isaca cism isaca cobit 5 isaca crisc isaca questions practice exams pratice quests risc maangement it management it questions isaca answers isaca practice isaca dumps isaca test test questions questins and answer explanation0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment