CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
CISM—Certified Information Security Manager - Part 59
1. In assessing the degree to which an organization may be affected by new privacy legislation, information security management should FIRST:
A) develop an operational plan for achieving compliance with the legislation.
B) identify systems and processes that contain privacy components.
C) restrict the collection of personal information until compliant.
D) identify privacy legislation in other countries that may contain similar requirements.
2. Risk assessment is MOST effective when performed:
A) at the beginning of security program development.
B) on a continuous basis.
C) while developing the business case for the security program.
D) during the business change process.
3. Which of the following is the MAIN reason for performing risk assessment on a continuous basis'?
A) Justification of the security budget must be continually made.
B) New vulnerabilities are discovered every day.
C) The risk environment is constantly changing.
D) Management needs to be continually informed about emerging risks.
4. There is a time lag between the time when a security vulnerability is first published, and the time when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk during this time period?
A) Identify the vulnerable systems and apply compensating controls
B) Minimize the use of vulnerable systems
C) Communicate the vulnerability to system users
D) Update the signatures database of the intrusion detection system (IDS)
5. Which of the following security activities should be implemented in the change management process to identify key vulnerabilities introduced by changes?
A) Business impact analysis (BIA)
B) Penetration testing
C) Audit and review
D) Threat analysis
A) develop an operational plan for achieving compliance with the legislation.
B) identify systems and processes that contain privacy components.
C) restrict the collection of personal information until compliant.
D) identify privacy legislation in other countries that may contain similar requirements.
2. Risk assessment is MOST effective when performed:
A) at the beginning of security program development.
B) on a continuous basis.
C) while developing the business case for the security program.
D) during the business change process.
3. Which of the following is the MAIN reason for performing risk assessment on a continuous basis'?
A) Justification of the security budget must be continually made.
B) New vulnerabilities are discovered every day.
C) The risk environment is constantly changing.
D) Management needs to be continually informed about emerging risks.
4. There is a time lag between the time when a security vulnerability is first published, and the time when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk during this time period?
A) Identify the vulnerable systems and apply compensating controls
B) Minimize the use of vulnerable systems
C) Communicate the vulnerability to system users
D) Update the signatures database of the intrusion detection system (IDS)
5. Which of the following security activities should be implemented in the change management process to identify key vulnerabilities introduced by changes?
A) Business impact analysis (BIA)
B) Penetration testing
C) Audit and review
D) Threat analysis
1. Right Answer: B
Explanation: Identifying the relevant systems and processes is the best first step. Developing an operational plan for achieving compliance with the legislation is incorrect because it is not the first step. Restricting the collection of personal information comes later. Identifying privacy legislation in other countries would not add much value.
2. Right Answer: B
Explanation: Risk assessment needs to be performed on a continuous basis because of organizational and technical changes. Risk assessment must take into account all significant changes in order to be effective.
3. Right Answer: C
Explanation: The risk environment is impacted by factors such as changes in technology, and business strategy. These changes introduce new threats and vulnerabilities to the organization. As a result, risk assessment should be performed continuously. Justification of a budget should never be the main reason for performing a risk assessment. New vulnerabilities should be managed through a patch management process. Informing management about emerging risks is important, but is not the main driver for determining when a risk assessment should be performed.
4. Right Answer: A
Explanation: The best protection is to identify the vulnerable systems and apply compensating controls until a patch is installed. Minimizing the use of vulnerable systems and communicating the vulnerability to system users could be compensating controls but would not be the first course of action. Choice D does not make clear the timing of when the intrusion detection system (IDS) signature list would be updated to accommodate the vulnerabilities that are not yet publicly known. Therefore, this approach should not always be considered as the first option.
5. Right Answer: B
Explanation: Penetration testing focuses on identifying vulnerabilities. None of the other choices would identify vulnerabilities introduced by changes.
Explanation: Identifying the relevant systems and processes is the best first step. Developing an operational plan for achieving compliance with the legislation is incorrect because it is not the first step. Restricting the collection of personal information comes later. Identifying privacy legislation in other countries would not add much value.
2. Right Answer: B
Explanation: Risk assessment needs to be performed on a continuous basis because of organizational and technical changes. Risk assessment must take into account all significant changes in order to be effective.
3. Right Answer: C
Explanation: The risk environment is impacted by factors such as changes in technology, and business strategy. These changes introduce new threats and vulnerabilities to the organization. As a result, risk assessment should be performed continuously. Justification of a budget should never be the main reason for performing a risk assessment. New vulnerabilities should be managed through a patch management process. Informing management about emerging risks is important, but is not the main driver for determining when a risk assessment should be performed.
4. Right Answer: A
Explanation: The best protection is to identify the vulnerable systems and apply compensating controls until a patch is installed. Minimizing the use of vulnerable systems and communicating the vulnerability to system users could be compensating controls but would not be the first course of action. Choice D does not make clear the timing of when the intrusion detection system (IDS) signature list would be updated to accommodate the vulnerabilities that are not yet publicly known. Therefore, this approach should not always be considered as the first option.
5. Right Answer: B
Explanation: Penetration testing focuses on identifying vulnerabilities. None of the other choices would identify vulnerabilities introduced by changes.
Tags:
it certification certified it it exams isaca certification isaca cgeit isaca cisa isaca cism isaca cobit 5 isaca crisc isaca questions practice exams pratice quests risc maangement it management it questions isaca answers isaca practice isaca dumps isaca test test questions questins and answer explanation0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment