CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
CISA—Certified Information Systems Auditor - Part 328
1. A financial services organization is developing and documenting business continuity measures. In which of the following cases would an IS auditor MOST likely raise an issue?
A) The organization uses good practice guidelines instead of industry standards and relies on external advisors to ensure the adequacy of the methodology.
B) The business continuity capabilities are planned around a carefully selected set of scenarios which describe events that might happen with a reasonable probability.
C) The recovery time objectives (RTOs) do not take IT disaster recovery constraints into account, such as personnel or system dependencies during the recovery phase.
D) The organization plans to rent a shared alternate site with emergency workplaces which has only enough room for half of the normal staff.
2. A medium-sized organization, whose IT disaster recovery measures have been in place and regularly tested for years, has just developed a formal business continuity plan (BCP). A basic BCP tabletop exercise has been performed successfully. Which testing should an IS auditor recommend be performed NEXT to verify the adequacy of the new BCP?
A) Full-scale test with relocation of all departments, including IT, to the contingency site
B) Walk-through test of a series of predefined scenarios with all critical personnel involved
C) IT disaster recovery test with business departments involved in testing the critical applications
D) Functional test of a scenario with limited IT involvement
3. Everything not explicitly permitted is forbidden has which of the following kinds of tradeoff?
A) it improves security at a cost in functionality.
B) it improves functionality at a cost in security.
C) it improves security at a cost in system performance.
D) it improves performance at a cost in functionality.
E) None of the choices.
4. Default permit is only a good approach in an environment where:
A) security threats are non-existent or negligible.
B) security threats are non-negligible.
C) security threats are serious and severe.
D) users are trained.
E) None of the choices.
5. Talking about the different approaches to security in computing, the principle of regarding the computer system itself as largely an untrusted system emphasizes:
A) most privilege
B) full privilege
C) least privilege
D) null privilege
E) None of the choices.
A) The organization uses good practice guidelines instead of industry standards and relies on external advisors to ensure the adequacy of the methodology.
B) The business continuity capabilities are planned around a carefully selected set of scenarios which describe events that might happen with a reasonable probability.
C) The recovery time objectives (RTOs) do not take IT disaster recovery constraints into account, such as personnel or system dependencies during the recovery phase.
D) The organization plans to rent a shared alternate site with emergency workplaces which has only enough room for half of the normal staff.
2. A medium-sized organization, whose IT disaster recovery measures have been in place and regularly tested for years, has just developed a formal business continuity plan (BCP). A basic BCP tabletop exercise has been performed successfully. Which testing should an IS auditor recommend be performed NEXT to verify the adequacy of the new BCP?
A) Full-scale test with relocation of all departments, including IT, to the contingency site
B) Walk-through test of a series of predefined scenarios with all critical personnel involved
C) IT disaster recovery test with business departments involved in testing the critical applications
D) Functional test of a scenario with limited IT involvement
3. Everything not explicitly permitted is forbidden has which of the following kinds of tradeoff?
A) it improves security at a cost in functionality.
B) it improves functionality at a cost in security.
C) it improves security at a cost in system performance.
D) it improves performance at a cost in functionality.
E) None of the choices.
4. Default permit is only a good approach in an environment where:
A) security threats are non-existent or negligible.
B) security threats are non-negligible.
C) security threats are serious and severe.
D) users are trained.
E) None of the choices.
5. Talking about the different approaches to security in computing, the principle of regarding the computer system itself as largely an untrusted system emphasizes:
A) most privilege
B) full privilege
C) least privilege
D) null privilege
E) None of the choices.
1. Right Answer: B
Explanation: It is a common mistake to use scenario planning for business continuity. The problem is that it is impossible to plan and document actions for every possible scenario. Planning for just selected scenarios denies the fact that even improbable events can cause an organization to break down. Best practice planning addresses the four possible areas of impact in a disaster: premises, people, systems, and suppliers and other dependencies. All scenarios can be reduced to these four categories and can be handled simultaneously. There are very few special scenarios which justify an additional separate analysis, it is a good idea to use best practices and external advice for such an important topic, especially since knowledge of the right level of preparedness and the judgment about adequacy of the measures taken is not available in every organization. The recovery time objectives (RTOs) are based on the essential business processes required to ensure the organization's survival, therefore it would be inappropriate for them to be based on IT capabilities. Best practice guidelines recommend having 20%-40% of normal capacity available at an emergency site; therefore, a value of 50% would not be a problem if there are no additional factors.
2. Right Answer: D
Explanation: After a tabletop exercise has been performed, the next step would be a functional test, which includes the mobilization of staff to exercise the administrative and organizational functions of a recovery. Since the IT part of the recovery has been tested for years, it would be more efficient to verify and optimize the business continuity plan (BCP) before actually involving IT in a full-scale test. The full-scale test would be the last step of the verification process before entering into a regular annual testing schedule. A full-scale test in the situation described might fail because it would be the first time that the plan is actually exercised, and a number of resources (including IT) and time would be wasted. The walk- through test is the most basic type of testing. Its intention is to make key staff familiar with the plan and discuss critical plan elements, rather than verifying its adequacy. The recovery of applications should always be verified and approved by the business instead of being purely IT-driven. A disaster recovery test would not help in verifying the administrative and organizational parts of the BCP which are notIT-related.
3. Right Answer: A
Explanation: Everything not explicitly permitted is forbidden (default deny) improves security at a cost in functionality. This is a good approach if you have lots of security threats. On the other hand, 'Everything not explicitly forbidden is permitted' (default permit) allows greater functionality by sacrificing security. This is only a good approach in an environment where security threats are non- existent or negligible.
4. Right Answer: A
Explanation: Everything not explicitly permitted is forbidden (default deny) improves security at a cost in functionality. This is a good approach if you have lots of security threats. On the other hand, 'Everything not explicitly forbidden is permitted' (default permit) allows greater functionality by sacrificing security. This is only a good approach in an environment where security threats are non- existent or negligible.
5. Right Answer: C
Explanation: There are two different approaches to security in computing. One focuses mainly on external threats, and generally treats the computer system itself as a trusted system. The other regards the computer system itself as largely an untrusted system, and redesigns it to make it more secure in a number of ways.This technique enforces the principle of least privilege to great extent, where an entity has only the privileges that are needed for its function.
Explanation: It is a common mistake to use scenario planning for business continuity. The problem is that it is impossible to plan and document actions for every possible scenario. Planning for just selected scenarios denies the fact that even improbable events can cause an organization to break down. Best practice planning addresses the four possible areas of impact in a disaster: premises, people, systems, and suppliers and other dependencies. All scenarios can be reduced to these four categories and can be handled simultaneously. There are very few special scenarios which justify an additional separate analysis, it is a good idea to use best practices and external advice for such an important topic, especially since knowledge of the right level of preparedness and the judgment about adequacy of the measures taken is not available in every organization. The recovery time objectives (RTOs) are based on the essential business processes required to ensure the organization's survival, therefore it would be inappropriate for them to be based on IT capabilities. Best practice guidelines recommend having 20%-40% of normal capacity available at an emergency site; therefore, a value of 50% would not be a problem if there are no additional factors.
2. Right Answer: D
Explanation: After a tabletop exercise has been performed, the next step would be a functional test, which includes the mobilization of staff to exercise the administrative and organizational functions of a recovery. Since the IT part of the recovery has been tested for years, it would be more efficient to verify and optimize the business continuity plan (BCP) before actually involving IT in a full-scale test. The full-scale test would be the last step of the verification process before entering into a regular annual testing schedule. A full-scale test in the situation described might fail because it would be the first time that the plan is actually exercised, and a number of resources (including IT) and time would be wasted. The walk- through test is the most basic type of testing. Its intention is to make key staff familiar with the plan and discuss critical plan elements, rather than verifying its adequacy. The recovery of applications should always be verified and approved by the business instead of being purely IT-driven. A disaster recovery test would not help in verifying the administrative and organizational parts of the BCP which are notIT-related.
3. Right Answer: A
Explanation: Everything not explicitly permitted is forbidden (default deny) improves security at a cost in functionality. This is a good approach if you have lots of security threats. On the other hand, 'Everything not explicitly forbidden is permitted' (default permit) allows greater functionality by sacrificing security. This is only a good approach in an environment where security threats are non- existent or negligible.
4. Right Answer: A
Explanation: Everything not explicitly permitted is forbidden (default deny) improves security at a cost in functionality. This is a good approach if you have lots of security threats. On the other hand, 'Everything not explicitly forbidden is permitted' (default permit) allows greater functionality by sacrificing security. This is only a good approach in an environment where security threats are non- existent or negligible.
5. Right Answer: C
Explanation: There are two different approaches to security in computing. One focuses mainly on external threats, and generally treats the computer system itself as a trusted system. The other regards the computer system itself as largely an untrusted system, and redesigns it to make it more secure in a number of ways.This technique enforces the principle of least privilege to great extent, where an entity has only the privileges that are needed for its function.
Tags:
it certification certified it it exams isaca certification isaca cgeit isaca cisa isaca cism isaca cobit 5 isaca crisc isaca questions practice exams pratice quests risc maangement it management it questions isaca answers isaca practice isaca dumps isaca test test questions questins and answer explanation0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment