CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
1. The implementation of access controls FIRST requires:
A) a classification of IS resources.
B) the labeling of IS resources.
C) the creation of an access control list.
D) an inventory of IS resources.
2. Which of the following is an example of the defense in-depth security principle?
A) Using two firewalls of different vendors to consecutively check the incoming network traffic
B) Using a firewall as well as logical access controls on the hosts to control incoming network traffic
C) Having no physical signs on the outside of a computer center building
D) Using two firewalls in parallel to check different types of incoming traffic
3. Which of the following would be the BEST access control procedure?
A) The data owner formally authorizes access and an administrator implements the user authorization tables.
B) Authorized staff implements the user authorization tables and the data owner sanctions them.
C) The data owner and an IS manager jointly create and update the user authorization tables.
D) The data owner creates and updates the user authorization tables.
4. Which of the following would MOST effectively reduce social engineering incidents?
A) Security awareness training
B) increased physical security measures
C) E-mail monitoring policy
D) intrusion detection systems
5. An information security policy stating that 'the display of passwords must be masked or suppressed' addresses which of the following attack methods?
A) Piggybacking
B) Dumpster diving
C) Shoulder surfing
D) Impersonation
A) a classification of IS resources.
B) the labeling of IS resources.
C) the creation of an access control list.
D) an inventory of IS resources.
2. Which of the following is an example of the defense in-depth security principle?
A) Using two firewalls of different vendors to consecutively check the incoming network traffic
B) Using a firewall as well as logical access controls on the hosts to control incoming network traffic
C) Having no physical signs on the outside of a computer center building
D) Using two firewalls in parallel to check different types of incoming traffic
3. Which of the following would be the BEST access control procedure?
A) The data owner formally authorizes access and an administrator implements the user authorization tables.
B) Authorized staff implements the user authorization tables and the data owner sanctions them.
C) The data owner and an IS manager jointly create and update the user authorization tables.
D) The data owner creates and updates the user authorization tables.
4. Which of the following would MOST effectively reduce social engineering incidents?
A) Security awareness training
B) increased physical security measures
C) E-mail monitoring policy
D) intrusion detection systems
5. An information security policy stating that 'the display of passwords must be masked or suppressed' addresses which of the following attack methods?
A) Piggybacking
B) Dumpster diving
C) Shoulder surfing
D) Impersonation
1. Right Answer: D
Explanation:
2. Right Answer: B
Explanation: Defense in-depth means using different security mechanisms that back each other up. When network traffic passes the firewall unintentionally, the logical access controls form a second line of defense. Using two firewalls of different vendors to consecutively check the incoming network traffic is an example of diversity in defense. The firewalls are the same security mechanisms. By using two different products the probability of both products having the same vulnerabilities is diminished. Having no physical signs on the outside of a computer center building is a single security measure. Using two firewalls in parallel to check different types of incoming traffic is a single security mechanism and therefore no different than having a single firewall checking all traffic.
3. Right Answer: A
Explanation: The data owner holds the privilege and responsibility for formally establishing the access rights. An IS administrator should then implement or update user authorization tables. Choice B alters the desirable order. Choice C is not a formal procedure for authorizing access.
4. Right Answer: A
Explanation: Social engineering exploits human nature and weaknesses to obtain information and access privileges. By increasing employee awareness of security issues, it is possible to reduce the number of successful social engineering incidents. In most cases, social engineering incidents do not require the physical presence of the intruder. Therefore, increased physical security measures would not prevent the intrusion. An e-mail monitoring policy informs users that all e- mail in the organization is subject to monitoring; it does not protect the users from potential security incidents and intruders. Intrusion detection systems are used to detect irregular or abnormal traffic patterns.
5. Right Answer: C
Explanation: If a password is displayed on a monitor, any person nearby could look over the shoulder of the user to obtain the password. Piggybacking refers to unauthorized persons following, either physically or virtually, authorized persons into restricted areas. Masking the display of passwords would not prevent someone from tailgating an authorized person. This policy only refers to 'the display of passwords.' If the policy referred to 'the display and printing of passwords' then it would address shoulder surfing and dumpster diving (looking through an organization's trash for valuable information), impersonation refers to someone acting as an employee in an attempt to retrieve desired information.
Explanation:
2. Right Answer: B
Explanation: Defense in-depth means using different security mechanisms that back each other up. When network traffic passes the firewall unintentionally, the logical access controls form a second line of defense. Using two firewalls of different vendors to consecutively check the incoming network traffic is an example of diversity in defense. The firewalls are the same security mechanisms. By using two different products the probability of both products having the same vulnerabilities is diminished. Having no physical signs on the outside of a computer center building is a single security measure. Using two firewalls in parallel to check different types of incoming traffic is a single security mechanism and therefore no different than having a single firewall checking all traffic.
3. Right Answer: A
Explanation: The data owner holds the privilege and responsibility for formally establishing the access rights. An IS administrator should then implement or update user authorization tables. Choice B alters the desirable order. Choice C is not a formal procedure for authorizing access.
4. Right Answer: A
Explanation: Social engineering exploits human nature and weaknesses to obtain information and access privileges. By increasing employee awareness of security issues, it is possible to reduce the number of successful social engineering incidents. In most cases, social engineering incidents do not require the physical presence of the intruder. Therefore, increased physical security measures would not prevent the intrusion. An e-mail monitoring policy informs users that all e- mail in the organization is subject to monitoring; it does not protect the users from potential security incidents and intruders. Intrusion detection systems are used to detect irregular or abnormal traffic patterns.
5. Right Answer: C
Explanation: If a password is displayed on a monitor, any person nearby could look over the shoulder of the user to obtain the password. Piggybacking refers to unauthorized persons following, either physically or virtually, authorized persons into restricted areas. Masking the display of passwords would not prevent someone from tailgating an authorized person. This policy only refers to 'the display of passwords.' If the policy referred to 'the display and printing of passwords' then it would address shoulder surfing and dumpster diving (looking through an organization's trash for valuable information), impersonation refers to someone acting as an employee in an attempt to retrieve desired information.
0 Comments
Leave a comment
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
