CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
CISM—Certified Information Security Manager - Part 11
1. Which of the following BEST describes an information security manager's role in a multidisciplinary team that will address a new regulatory requirement regarding operational risk?
A) Ensure that all IT risks are identified
B) Evaluate the impact of information security risks
C) Demonstrate that IT mitigating controls are in place
D) Suggest new IT controls to mitigate operational risk
2. From an information security manager perspective, what is the immediate benefit of clearly-defined roles and responsibilities?
A) Enhanced policy compliance
B) Improved procedure flows
C) Segregation of duties
D) Better accountability
3. An internal audit has identified major weaknesses over IT processing. Which of the following should an information security manager use to BEST convey a sense of urgency to management?
A) Security metrics reports
B) Risk assessment reports
C) Business impact analysis (BIA)
D) Return on security investment report
4. Reviewing which of the following would BEST ensure that security controls are effective?
A) Risk assessment policies
B) Return on security investment
C) Security metrics
D) User access rights
5. Which of the following is responsible for legal and regulatory liability?
A) Chief security officer (CSO)
B) Chief legal counsel (CLC)
C) Board and senior management
D) Information security steering group
A) Ensure that all IT risks are identified
B) Evaluate the impact of information security risks
C) Demonstrate that IT mitigating controls are in place
D) Suggest new IT controls to mitigate operational risk
2. From an information security manager perspective, what is the immediate benefit of clearly-defined roles and responsibilities?
A) Enhanced policy compliance
B) Improved procedure flows
C) Segregation of duties
D) Better accountability
3. An internal audit has identified major weaknesses over IT processing. Which of the following should an information security manager use to BEST convey a sense of urgency to management?
A) Security metrics reports
B) Risk assessment reports
C) Business impact analysis (BIA)
D) Return on security investment report
4. Reviewing which of the following would BEST ensure that security controls are effective?
A) Risk assessment policies
B) Return on security investment
C) Security metrics
D) User access rights
5. Which of the following is responsible for legal and regulatory liability?
A) Chief security officer (CSO)
B) Chief legal counsel (CLC)
C) Board and senior management
D) Information security steering group
1. Right Answer: B
Explanation: The job of the information security officer on such a team is to assess the risks to the business operation. Choice A is incorrect because information security is not limited to IT issues. Choice C is incorrect because at the time a team is formed to assess risk, it is premature to assume that any demonstration of IT controls will mitigate business operations risk. Choice D is incorrect because it is premature at the time of the formation of the team to assume that any suggestion of new IT controls will mitigate business operational risk.
2. Right Answer: D
Explanation: Without well-defined roles and responsibilities, there cannot be accountability. Choice A is incorrect because policy compliance requires adequately defined accountability first and therefore is a byproduct. Choice B is incorrect because people can be assigned to execute procedures that are not well designed. Choice C is incorrect because segregation of duties is not automatic, and roles may still include conflicting duties.
3. Right Answer: B
Explanation: Performing a risk assessment will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management. Metrics reports are normally contained within the methodology of the risk assessment to give it credibility and provide an ongoing tool. The business impact analysis (BIA) covers continuity risks only. Return on security investment cannot be determined until a plan is developed based on the BIA.
4. Right Answer: C
Explanation: Reviewing security metrics provides senior management a snapshot view and trends of an organization's security posture. Choice A is incorrect because reviewing risk assessment policies would not ensure that the controls are actually working. Choice B is incorrect because reviewing returns on security investments provides business justifications in implementing controls, but does not measure effectiveness of the control itself. Choice D is incorrect because reviewing user access rights is a joint responsibility of the data custodian and the data owner, and does not measure control effectiveness.
5. Right Answer: C
Explanation: The board of directors and senior management are ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Explanation: The job of the information security officer on such a team is to assess the risks to the business operation. Choice A is incorrect because information security is not limited to IT issues. Choice C is incorrect because at the time a team is formed to assess risk, it is premature to assume that any demonstration of IT controls will mitigate business operations risk. Choice D is incorrect because it is premature at the time of the formation of the team to assume that any suggestion of new IT controls will mitigate business operational risk.
2. Right Answer: D
Explanation: Without well-defined roles and responsibilities, there cannot be accountability. Choice A is incorrect because policy compliance requires adequately defined accountability first and therefore is a byproduct. Choice B is incorrect because people can be assigned to execute procedures that are not well designed. Choice C is incorrect because segregation of duties is not automatic, and roles may still include conflicting duties.
3. Right Answer: B
Explanation: Performing a risk assessment will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management. Metrics reports are normally contained within the methodology of the risk assessment to give it credibility and provide an ongoing tool. The business impact analysis (BIA) covers continuity risks only. Return on security investment cannot be determined until a plan is developed based on the BIA.
4. Right Answer: C
Explanation: Reviewing security metrics provides senior management a snapshot view and trends of an organization's security posture. Choice A is incorrect because reviewing risk assessment policies would not ensure that the controls are actually working. Choice B is incorrect because reviewing returns on security investments provides business justifications in implementing controls, but does not measure effectiveness of the control itself. Choice D is incorrect because reviewing user access rights is a joint responsibility of the data custodian and the data owner, and does not measure control effectiveness.
5. Right Answer: C
Explanation: The board of directors and senior management are ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Tags:
it certification certified it it exams isaca certification isaca cgeit isaca cisa isaca cism isaca cobit 5 isaca crisc isaca questions practice exams pratice quests risc maangement it management it questions isaca answers isaca practice isaca dumps isaca test test questions questins and answer explanation0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment