CISMβCertified Information Security Manager - Part 63
1. All risk management activities are PRIMARILY designed to reduce impacts to:
A) a level defined by the security manager.
B) an acceptable level based on organizational risk tolerance.
C) a minimum level consistent with regulatory requirements.
D) the minimum level possible.
2. After assessing and mitigating the risks of a web application, who should decide on the acceptance of residual application risks?
A) Information security officer
B) Chief information officer (CIO)
C) Business owner
D) Chief executive officer (CFO)
3. The purpose of a corrective control is to:
A) reduce adverse events.
B) indicate compromise.
C) mitigate impact.
D) ensure compliance.
4. Which of the following is the MOST important requirement for setting up an information security infrastructure for a new system?
A) Performing a business impact analysis (BIA)
B) Considering personal information devices as pan of the security policy
C) Initiating IT security training and familiarization
D) Basing the information security infrastructure on risk assessment
5. Previously accepted risk should be:
A) re-assessed periodically since the risk can be escalated to an unacceptable level due to revised conditions.
B) accepted permanently since management has already spent resources (time and labor) to conclude that the risk level is acceptable.
C) avoided next time since risk avoidance provides the best protection to the company.
D) removed from the risk log once it is accepted.
A) a level defined by the security manager.
B) an acceptable level based on organizational risk tolerance.
C) a minimum level consistent with regulatory requirements.
D) the minimum level possible.
2. After assessing and mitigating the risks of a web application, who should decide on the acceptance of residual application risks?
A) Information security officer
B) Chief information officer (CIO)
C) Business owner
D) Chief executive officer (CFO)
3. The purpose of a corrective control is to:
A) reduce adverse events.
B) indicate compromise.
C) mitigate impact.
D) ensure compliance.
4. Which of the following is the MOST important requirement for setting up an information security infrastructure for a new system?
A) Performing a business impact analysis (BIA)
B) Considering personal information devices as pan of the security policy
C) Initiating IT security training and familiarization
D) Basing the information security infrastructure on risk assessment
5. Previously accepted risk should be:
A) re-assessed periodically since the risk can be escalated to an unacceptable level due to revised conditions.
B) accepted permanently since management has already spent resources (time and labor) to conclude that the risk level is acceptable.
C) avoided next time since risk avoidance provides the best protection to the company.
D) removed from the risk log once it is accepted.
1. Right Answer: B
Explanation: The aim of risk management is to reduce impacts to an acceptable level. 'Acceptable' or 'reasonable' are relative terms that can vary based on environment and circumstances. A minimum level that is consistent with regulatory requirements may not be consistent with business objectives, and regulators typically do not assign risk levels. The minimum level possible may not be aligned with business requirements.
2. Right Answer: C
Explanation: The business owner of the application needs to understand and accept the residual application risks.
3. Right Answer: C
Explanation: Corrective controls serve to reduce or mitigate impacts, such as providing recovery capabilities. Preventive controls reduce adverse events, such as firewalls.Compromise can be detected by detective controls, such as intrusion detection systems (IDSs). Compliance could be ensured by preventive controls, such as access controls.
4. Right Answer: D
Explanation: The information security infrastructure should be based on risk. While considering personal information devices as part of the security policy may be a consideration, it is not the most important requirement. A BIA is typically carried out to prioritize business processes as part of a business continuity plan. InitiatingIT security training may not be important for the purpose of the information security infrastructure.
5. Right Answer: A
Explanation: Acceptance of risk should be regularly reviewed to ensure that the rationale for the initial risk acceptance is still valid within the current business context. The rationale for initial risk acceptance may no longer be valid due to change(s) and. hence, risk cannot be accepted permanently. Risk is an inherent part of business and it is impractical and costly to eliminate all risk. Even risks that have been accepted should be monitored for changing conditions that could alter the original decision.
Explanation: The aim of risk management is to reduce impacts to an acceptable level. 'Acceptable' or 'reasonable' are relative terms that can vary based on environment and circumstances. A minimum level that is consistent with regulatory requirements may not be consistent with business objectives, and regulators typically do not assign risk levels. The minimum level possible may not be aligned with business requirements.
2. Right Answer: C
Explanation: The business owner of the application needs to understand and accept the residual application risks.
3. Right Answer: C
Explanation: Corrective controls serve to reduce or mitigate impacts, such as providing recovery capabilities. Preventive controls reduce adverse events, such as firewalls.Compromise can be detected by detective controls, such as intrusion detection systems (IDSs). Compliance could be ensured by preventive controls, such as access controls.
4. Right Answer: D
Explanation: The information security infrastructure should be based on risk. While considering personal information devices as part of the security policy may be a consideration, it is not the most important requirement. A BIA is typically carried out to prioritize business processes as part of a business continuity plan. InitiatingIT security training may not be important for the purpose of the information security infrastructure.
5. Right Answer: A
Explanation: Acceptance of risk should be regularly reviewed to ensure that the rationale for the initial risk acceptance is still valid within the current business context. The rationale for initial risk acceptance may no longer be valid due to change(s) and. hence, risk cannot be accepted permanently. Risk is an inherent part of business and it is impractical and costly to eliminate all risk. Even risks that have been accepted should be monitored for changing conditions that could alter the original decision.
Comments
0
CA Foundation Business Economics Questions 2023 - Part 32
03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 31
03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 29
03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 28
03 Mar 2023
