CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
CISM—Certified Information Security Manager - Part 50
1. The security responsibility of data custodians in an organization will include:
A) assuming overall protection of information assets.
B) determining data classification levels.
C) implementing security controls in products they install.
D) ensuring security measures are consistent with policy.
2. A security risk assessment exercise should be repeated at regular intervals because:
A) business threats are constantly changing.
B) omissions in earlier assessments can be addressed.
C) repetitive assessments allow various methodologies.
D) they help raise awareness on security in the business.
3. Which of the following steps in conducting a risk assessment should be performed FIRST?
A) Identity business assets
B) Identify business risks
C) Assess vulnerabilities
D) Evaluate key controls
4. The systems administrator did not immediately notify the security officer about a malicious attack. An information security manager could prevent this situation by:
A) periodically testing the incident response plans.
B) regularly testing the intrusion detection system (IDS).
C) establishing mandatory training of all personnel.
D) periodically reviewing incident response procedures.
5. Which of the following risks is represented in the risk appetite of an organization?
A) Control
B) Inherent
C) Residual
D) Audit
A) assuming overall protection of information assets.
B) determining data classification levels.
C) implementing security controls in products they install.
D) ensuring security measures are consistent with policy.
2. A security risk assessment exercise should be repeated at regular intervals because:
A) business threats are constantly changing.
B) omissions in earlier assessments can be addressed.
C) repetitive assessments allow various methodologies.
D) they help raise awareness on security in the business.
3. Which of the following steps in conducting a risk assessment should be performed FIRST?
A) Identity business assets
B) Identify business risks
C) Assess vulnerabilities
D) Evaluate key controls
4. The systems administrator did not immediately notify the security officer about a malicious attack. An information security manager could prevent this situation by:
A) periodically testing the incident response plans.
B) regularly testing the intrusion detection system (IDS).
C) establishing mandatory training of all personnel.
D) periodically reviewing incident response procedures.
5. Which of the following risks is represented in the risk appetite of an organization?
A) Control
B) Inherent
C) Residual
D) Audit
1. Right Answer: D
Explanation: Security responsibilities of data custodians within an organization include ensuring that appropriate security measures are maintained and are consistent with organizational policy. Executive management holds overall responsibility for protection of the information assets. Data owners determine data classification levels for information assets so that appropriate levels of controls can be provided to meet the requirements relating to confidentiality, integrity and availability.Implementation of information security in products is the responsibility of the IT developers.
2. Right Answer: A
Explanation: As business objectives and methods change, the nature and relevance of threats change as well. Choice B does not, by itself, justify regular reassessment.Choice C is not necessarily true in all cases. Choice D is incorrect because there are better ways of raising security awareness than by performing a risk assessment.
3. Right Answer: A
Explanation: Risk assessment first requires one to identify the business assets that need to be protected before identifying the threats. The next step is to establish whether those threats represent business risk by identifying the likelihood and effect of occurrence, followed by assessing the vulnerabilities that may affect the security of the asset. This process establishes the control objectives against which key controls can be evaluated.
4. Right Answer: A
Explanation: Security incident response plans should be tested to find any deficiencies and improve existing processes. Testing the intrusion detection system (IDS) is a good practice but would not have prevented this situation. All personnel need to go through formal training to ensure that they understand the process, tools and methodology involved in handling security incidents. However, testing of the actual plans is more effective in ensuring the process works as intended. Reviewing the response procedures is not enough; the security response plan needs to be tested on a regular basis.
5. Right Answer: C
Explanation: Residual risk is unmanaged, i.e., inherent risk which remains uncontrolled. This is key to the organization's risk appetite and is the amount of residual risk that a business is living with that affects its viability. Hence, inherent risk is incorrect. Control risk, the potential for controls to fail, and audit risk, which relates only to audit's approach to their work, are not relevant in this context.
Explanation: Security responsibilities of data custodians within an organization include ensuring that appropriate security measures are maintained and are consistent with organizational policy. Executive management holds overall responsibility for protection of the information assets. Data owners determine data classification levels for information assets so that appropriate levels of controls can be provided to meet the requirements relating to confidentiality, integrity and availability.Implementation of information security in products is the responsibility of the IT developers.
2. Right Answer: A
Explanation: As business objectives and methods change, the nature and relevance of threats change as well. Choice B does not, by itself, justify regular reassessment.Choice C is not necessarily true in all cases. Choice D is incorrect because there are better ways of raising security awareness than by performing a risk assessment.
3. Right Answer: A
Explanation: Risk assessment first requires one to identify the business assets that need to be protected before identifying the threats. The next step is to establish whether those threats represent business risk by identifying the likelihood and effect of occurrence, followed by assessing the vulnerabilities that may affect the security of the asset. This process establishes the control objectives against which key controls can be evaluated.
4. Right Answer: A
Explanation: Security incident response plans should be tested to find any deficiencies and improve existing processes. Testing the intrusion detection system (IDS) is a good practice but would not have prevented this situation. All personnel need to go through formal training to ensure that they understand the process, tools and methodology involved in handling security incidents. However, testing of the actual plans is more effective in ensuring the process works as intended. Reviewing the response procedures is not enough; the security response plan needs to be tested on a regular basis.
5. Right Answer: C
Explanation: Residual risk is unmanaged, i.e., inherent risk which remains uncontrolled. This is key to the organization's risk appetite and is the amount of residual risk that a business is living with that affects its viability. Hence, inherent risk is incorrect. Control risk, the potential for controls to fail, and audit risk, which relates only to audit's approach to their work, are not relevant in this context.
Tags:
it certification certified it it exams isaca certification isaca cgeit isaca cisa isaca cism isaca cobit 5 isaca crisc isaca questions practice exams pratice quests risc maangement it management it questions isaca answers isaca practice isaca dumps isaca test test questions questins and answer explanation0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment