CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
1. A top-down approach to the development of operational policies will help ensure:
A) that they are consistent across the organization.
B) that they are implemented as a part of risk assessment.
C) compliance with all policies.
D) that they are reviewed periodically.
2. Which of the following would MOST likely indicate that a customer data warehouse should remain in-house rather than be outsourced to an offshore operation?
A) Time zone differences could impede communications between IT teams.
B) Telecommunications cost could be much higher in the first year.
C) Privacy laws could prevent cross-border flow of information.
D) Software development may require more detailed specifications.
3. A retail outlet has introduced radio frequency identification (RFID) tags to create unique serial numbers for all products. Which of the following is the PRIMARY concern associated with this initiative?
A) Issues of privacy
B) Wavelength can be absorbed by the human body
C) RFID tags may not be removable
D) RFID eliminates line-of-sight reading
4. When developing a security architecture, which of the following steps should be executed FIRST?
A) Developing security procedures
B) Defining a security policy
C) Specifying an access control methodology
D) Defining roles and responsibilities
5. An IS auditor finds that, in accordance with IS policy, IDs of terminated users are deactivated within 90 days of termination. The IS auditor should:
A) report that the control is operating effectively since deactivation happens within the time frame stated in the IS policy.
B) verify that user access rights have been granted on a need-to-have basis.
C) recommend changes to the IS policy to ensure deactivation of user IDs upon termination.
D) recommend that activity logs of terminated users be reviewed on a regular basis.
A) that they are consistent across the organization.
B) that they are implemented as a part of risk assessment.
C) compliance with all policies.
D) that they are reviewed periodically.
2. Which of the following would MOST likely indicate that a customer data warehouse should remain in-house rather than be outsourced to an offshore operation?
A) Time zone differences could impede communications between IT teams.
B) Telecommunications cost could be much higher in the first year.
C) Privacy laws could prevent cross-border flow of information.
D) Software development may require more detailed specifications.
3. A retail outlet has introduced radio frequency identification (RFID) tags to create unique serial numbers for all products. Which of the following is the PRIMARY concern associated with this initiative?
A) Issues of privacy
B) Wavelength can be absorbed by the human body
C) RFID tags may not be removable
D) RFID eliminates line-of-sight reading
4. When developing a security architecture, which of the following steps should be executed FIRST?
A) Developing security procedures
B) Defining a security policy
C) Specifying an access control methodology
D) Defining roles and responsibilities
5. An IS auditor finds that, in accordance with IS policy, IDs of terminated users are deactivated within 90 days of termination. The IS auditor should:
A) report that the control is operating effectively since deactivation happens within the time frame stated in the IS policy.
B) verify that user access rights have been granted on a need-to-have basis.
C) recommend changes to the IS policy to ensure deactivation of user IDs upon termination.
D) recommend that activity logs of terminated users be reviewed on a regular basis.
1. Right Answer: A
Explanation: Deriving lower level policies from corporate policies {a top-down approach) aids in ensuring consistency across the organization and consistency with other policies. The bottom-up approach to the development of operational policies is derived as a result of risk assessment. A top-down approach of itself does not ensure compliance and development does not ensure that policies are reviewed.
2. Right Answer: C
Explanation: Privacy laws prohibiting the cross-border flow of personally identifiable information would make it impossible to locate a data warehouse containing customer information in another country. Time zone differences and higher telecommunications costs are more manageable. Software development typically requires more detailed specifications when dealing with offshore operations.
3. Right Answer: A
Explanation: The purchaser of an item will not necessarily be aware of the presence of the tag. If a tagged item is paid for by credit card, it would be possible to tie the uniqueID of that item to the identity of the purchaser. Privacy violations are a significant concern because RFID can carry unique identifier numbers. If desired it would be possible for a firm to track individuals who purchase an item containing an RFID. Choices B and C are concerns of less importance. Choice D is not a concern.
4. Right Answer: B
Explanation: Defining a security policy for information and related technology is the first step toward building a security architecture. A security policy communicates a coherent security standard to users, management and technical staff. Security policies will often set the stage in terms of what tools and procedures are needed for an organization. The other choices should be executed only after defining a security policy.
5. Right Answer: C
Explanation: Although a policy provides a reference for performing IS audit assignments, an IS auditor needs to review the adequacy and the appropriateness of the policy. If, in the opinion of the auditor, the time frame defined for deactivation is inappropriate, the auditor needs to communicate this to management and recommend changes to the policy. Though the deactivation happens as stated in the policy, it cannot be concluded that the control is effective. Best practice would require that the ID of a terminated user be deactivated immediately. Verifying that user access rights have been granted on a need-to-have basis is necessary when permissions are granted.Recommending that activity logs of terminated users be reviewed on a regular basis is a good practice, but not as effective as deactivation upon termination.
Explanation: Deriving lower level policies from corporate policies {a top-down approach) aids in ensuring consistency across the organization and consistency with other policies. The bottom-up approach to the development of operational policies is derived as a result of risk assessment. A top-down approach of itself does not ensure compliance and development does not ensure that policies are reviewed.
2. Right Answer: C
Explanation: Privacy laws prohibiting the cross-border flow of personally identifiable information would make it impossible to locate a data warehouse containing customer information in another country. Time zone differences and higher telecommunications costs are more manageable. Software development typically requires more detailed specifications when dealing with offshore operations.
3. Right Answer: A
Explanation: The purchaser of an item will not necessarily be aware of the presence of the tag. If a tagged item is paid for by credit card, it would be possible to tie the uniqueID of that item to the identity of the purchaser. Privacy violations are a significant concern because RFID can carry unique identifier numbers. If desired it would be possible for a firm to track individuals who purchase an item containing an RFID. Choices B and C are concerns of less importance. Choice D is not a concern.
4. Right Answer: B
Explanation: Defining a security policy for information and related technology is the first step toward building a security architecture. A security policy communicates a coherent security standard to users, management and technical staff. Security policies will often set the stage in terms of what tools and procedures are needed for an organization. The other choices should be executed only after defining a security policy.
5. Right Answer: C
Explanation: Although a policy provides a reference for performing IS audit assignments, an IS auditor needs to review the adequacy and the appropriateness of the policy. If, in the opinion of the auditor, the time frame defined for deactivation is inappropriate, the auditor needs to communicate this to management and recommend changes to the policy. Though the deactivation happens as stated in the policy, it cannot be concluded that the control is effective. Best practice would require that the ID of a terminated user be deactivated immediately. Verifying that user access rights have been granted on a need-to-have basis is necessary when permissions are granted.Recommending that activity logs of terminated users be reviewed on a regular basis is a good practice, but not as effective as deactivation upon termination.
0 Comments
Leave a comment
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
