CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
CISM—Certified Information Security Manager - Part 52
1. Which would be one of the BEST metrics an information security manager can employ to effectively evaluate the results of a security program?
A) Number of controls implemented
B) Percent of control objectives accomplished
C) Percent of compliance with the security policy
D) Reduction in the number of reported security incidents
2. Which of the following types of information would the information security manager expect to have the LOWEST level of security protection in a large, multinational enterprise?
A) Strategic business plan
B) Upcoming financial results
C) Customer personal information
D) Previous financial results
3. The PRIMARY purpose of using risk analysis within a security program is to:
A) justify the security expenditure.
B) help businesses prioritize the assets to be protected.
C) inform executive management of residual risk value.
D) assess exposures and plan remediation.
4. Which of the following is the PRIMARY prerequisite to implementing data classification within an organization?
A) Defining job roles
B) Performing a risk assessment
C) Identifying data owners
D) Establishing data retention policies
5. An online banking institution is concerned that the breach of customer personal information will have a significant financial impact due to the need to notify and compensate customers whose personal information may have been compromised. The institution determines that residual risk will always be too high and decides to:
A) mitigate the impact by purchasing insurance.
B) implement a circuit-level firewall to protect the network.
C) increase the resiliency of security measures in place.
D) implement a real-time intrusion detection system.
A) Number of controls implemented
B) Percent of control objectives accomplished
C) Percent of compliance with the security policy
D) Reduction in the number of reported security incidents
2. Which of the following types of information would the information security manager expect to have the LOWEST level of security protection in a large, multinational enterprise?
A) Strategic business plan
B) Upcoming financial results
C) Customer personal information
D) Previous financial results
3. The PRIMARY purpose of using risk analysis within a security program is to:
A) justify the security expenditure.
B) help businesses prioritize the assets to be protected.
C) inform executive management of residual risk value.
D) assess exposures and plan remediation.
4. Which of the following is the PRIMARY prerequisite to implementing data classification within an organization?
A) Defining job roles
B) Performing a risk assessment
C) Identifying data owners
D) Establishing data retention policies
5. An online banking institution is concerned that the breach of customer personal information will have a significant financial impact due to the need to notify and compensate customers whose personal information may have been compromised. The institution determines that residual risk will always be too high and decides to:
A) mitigate the impact by purchasing insurance.
B) implement a circuit-level firewall to protect the network.
C) increase the resiliency of security measures in place.
D) implement a real-time intrusion detection system.
1. Right Answer: B
Explanation: Control objectives are directly related to business objectives; therefore, they would be the best metrics. Number of controls implemented does not have a direct relationship with the results of a security program. Percentage of compliance with the security policy and reduction in the number of security incidents are not as broad as choice B.
2. Right Answer: D
Explanation: Previous financial results are public; all of the other choices are private information and should only be accessed by authorized entities.
3. Right Answer: D
Explanation: Risk analysis explores the degree to which an asset needs protecting so this can be managed effectively. Risk analysis indirectly supports the security expenditure, but justifying the security expenditure is not its primary purpose. Helping businesses prioritize the assets to be protected is an indirect benefit of risk analysis, but not its primary purpose. Informing executive management of residual risk value is not directly relevant.
4. Right Answer: C
Explanation: Identifying the data owners is the first step, and is essential to implementing data classification. Defining job roles is not relevant. Performing a risk assessment is important, but will require the participation of data owners (who must first be identified). Establishing data retention policies may occur after data have been classified.
5. Right Answer: A
Explanation: Since residual risk will always be too high, the only practical solution is to mitigate the financial impact by purchasing insurance.
Explanation: Control objectives are directly related to business objectives; therefore, they would be the best metrics. Number of controls implemented does not have a direct relationship with the results of a security program. Percentage of compliance with the security policy and reduction in the number of security incidents are not as broad as choice B.
2. Right Answer: D
Explanation: Previous financial results are public; all of the other choices are private information and should only be accessed by authorized entities.
3. Right Answer: D
Explanation: Risk analysis explores the degree to which an asset needs protecting so this can be managed effectively. Risk analysis indirectly supports the security expenditure, but justifying the security expenditure is not its primary purpose. Helping businesses prioritize the assets to be protected is an indirect benefit of risk analysis, but not its primary purpose. Informing executive management of residual risk value is not directly relevant.
4. Right Answer: C
Explanation: Identifying the data owners is the first step, and is essential to implementing data classification. Defining job roles is not relevant. Performing a risk assessment is important, but will require the participation of data owners (who must first be identified). Establishing data retention policies may occur after data have been classified.
5. Right Answer: A
Explanation: Since residual risk will always be too high, the only practical solution is to mitigate the financial impact by purchasing insurance.
Tags:
it certification certified it it exams isaca certification isaca cgeit isaca cisa isaca cism isaca cobit 5 isaca crisc isaca questions practice exams pratice quests risc maangement it management it questions isaca answers isaca practice isaca dumps isaca test test questions questins and answer explanation0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment