CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
CISM—Certified Information Security Manager - Part 58
1. When a significant security breach occurs, what should be reported FIRST to senior management?
A) A summary of the security logs that illustrates the sequence of events
B) An explanation of the incident and corrective action taken
C) An analysis of the impact of similar attacks at other organizations
D) A business case for implementing stronger logical access controls
2. The PRIMARY reason for initiating a policy exception process is when:
A) operations are too busy to comply.
B) the risk is justified by the benefit.
C) policy compliance would be difficult to enforce.
D) users may initially be inconvenienced.
3. Which of (lie following would be the MOST relevant factor when defining the information classification policy?
A) Quantity of information
B) Available IT infrastructure
C) Benchmarking
D) Requirements of data owners
4. To determine the selection of controls required to meet business objectives, an information security manager should:
A) prioritize the use of role-based access controls.
B) focus on key controls.
C) restrict controls to only critical applications.
D) focus on automated controls.
5. The MOST appropriate owner of customer data stored in a central database, used only by an organization's sales department, would be the:
A) sales department.
B) database administrator.
C) chief information officer (CIO).
D) head of the sales department.
A) A summary of the security logs that illustrates the sequence of events
B) An explanation of the incident and corrective action taken
C) An analysis of the impact of similar attacks at other organizations
D) A business case for implementing stronger logical access controls
2. The PRIMARY reason for initiating a policy exception process is when:
A) operations are too busy to comply.
B) the risk is justified by the benefit.
C) policy compliance would be difficult to enforce.
D) users may initially be inconvenienced.
3. Which of (lie following would be the MOST relevant factor when defining the information classification policy?
A) Quantity of information
B) Available IT infrastructure
C) Benchmarking
D) Requirements of data owners
4. To determine the selection of controls required to meet business objectives, an information security manager should:
A) prioritize the use of role-based access controls.
B) focus on key controls.
C) restrict controls to only critical applications.
D) focus on automated controls.
5. The MOST appropriate owner of customer data stored in a central database, used only by an organization's sales department, would be the:
A) sales department.
B) database administrator.
C) chief information officer (CIO).
D) head of the sales department.
1. Right Answer: B
Explanation: When reporting an incident to senior management, the initial information to be communicated should include an explanation of what happened and how the breach was resolved. A summary of security logs would be too technical to report to senior management. An analysis of the impact of similar attacks and a business case for improving controls would be desirable; however, these would be communicated later in the process.
2. Right Answer: B
Explanation: Exceptions to policy are warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.Being busy is not a justification for policy exceptions, nor is the fact that compliance cannot be enforced. User inconvenience is not a reason to automatically grant exception to a policy.
3. Right Answer: D
Explanation: When defining the information classification policy, the requirements of the data owners need to be identified. The quantity of information, availability of IT infrastructure and benchmarking may be part of the scheme after the fact and would be less relevant.
4. Right Answer: B
Explanation: Key controls primarily reduce risk and are most effective for the protection of information assets. The other choices could be examples of possible key controls.
5. Right Answer: D
Explanation: The owner of the information asset should be the person with the decision-making power in the department deriving the most benefit from the asset. In this case, it would be the head of the sales department. The organizational unit cannot be the owner of the asset because that removes personal responsibility. The database administrator is a custodian. The chief information officer (CIO) would not be an owner of this database because the CIO is less likely to be knowledgeable about the specific needs of sales operations and security concerns.
Explanation: When reporting an incident to senior management, the initial information to be communicated should include an explanation of what happened and how the breach was resolved. A summary of security logs would be too technical to report to senior management. An analysis of the impact of similar attacks and a business case for improving controls would be desirable; however, these would be communicated later in the process.
2. Right Answer: B
Explanation: Exceptions to policy are warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.Being busy is not a justification for policy exceptions, nor is the fact that compliance cannot be enforced. User inconvenience is not a reason to automatically grant exception to a policy.
3. Right Answer: D
Explanation: When defining the information classification policy, the requirements of the data owners need to be identified. The quantity of information, availability of IT infrastructure and benchmarking may be part of the scheme after the fact and would be less relevant.
4. Right Answer: B
Explanation: Key controls primarily reduce risk and are most effective for the protection of information assets. The other choices could be examples of possible key controls.
5. Right Answer: D
Explanation: The owner of the information asset should be the person with the decision-making power in the department deriving the most benefit from the asset. In this case, it would be the head of the sales department. The organizational unit cannot be the owner of the asset because that removes personal responsibility. The database administrator is a custodian. The chief information officer (CIO) would not be an owner of this database because the CIO is less likely to be knowledgeable about the specific needs of sales operations and security concerns.
Tags:
it certification certified it it exams isaca certification isaca cgeit isaca cisa isaca cism isaca cobit 5 isaca crisc isaca questions practice exams pratice quests risc maangement it management it questions isaca answers isaca practice isaca dumps isaca test test questions questins and answer explanation0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment