CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
CISM—Certified Information Security Manager - Part 13
1. When designing an information security quarterly report to management, the MOST important element to be considered should be the:
A) information security metrics.
B) knowledge required to analyze each issue.
C) linkage to business area objectives.
D) baseline against which metrics are evaluated.
2. An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the:
A) corporate data privacy policy.
B) data privacy policy where data are collected.
C) data privacy policy of the headquarters' country.
D) data privacy directive applicable globally.
3. A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST:
A) meet with stakeholders to decide how to comply.
B) analyze key risks in the compliance process.
C) assess whether existing controls meet the regulation.
D) update the existing security/privacy policy.
4. The PRIMARY objective of a security steering group is to:
A) ensure information security covers all business functions.
B) ensure information security aligns with business goals.
C) raise information security awareness across the organization.
D) implement all decisions on security management across the organization.
5. Data owners must provide a safe and secure environment to ensure confidentiality, integrity and availability of the transaction. This is an example of an information security:
A) baseline.
B) strategy.
C) procedure.
D) policy.
A) information security metrics.
B) knowledge required to analyze each issue.
C) linkage to business area objectives.
D) baseline against which metrics are evaluated.
2. An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the:
A) corporate data privacy policy.
B) data privacy policy where data are collected.
C) data privacy policy of the headquarters' country.
D) data privacy directive applicable globally.
3. A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST:
A) meet with stakeholders to decide how to comply.
B) analyze key risks in the compliance process.
C) assess whether existing controls meet the regulation.
D) update the existing security/privacy policy.
4. The PRIMARY objective of a security steering group is to:
A) ensure information security covers all business functions.
B) ensure information security aligns with business goals.
C) raise information security awareness across the organization.
D) implement all decisions on security management across the organization.
5. Data owners must provide a safe and secure environment to ensure confidentiality, integrity and availability of the transaction. This is an example of an information security:
A) baseline.
B) strategy.
C) procedure.
D) policy.
1. Right Answer: C
Explanation: The link to business objectives is the most important clement that would be considered by management. Information security metrics should be put in the context of impact to management objectives. Although important, the security knowledge required would not be the first element to be considered. Baselining against the information security metrics will be considered later in the process.
2. Right Answer: B
Explanation: As a subsidiary, the local entity will have to comply with the local law for data collected in the country. Senior management will be accountable for this legal compliance. The policy, being internal, cannot supersede the local law. Additionally, with local regulations differing from the country in which the organization is headquartered, it is improbable that a group wide policy will address all the local legal requirements. In case of data collected locally (and potentially transferred to a country with a different data privacy regulation), the local law applies, not the law applicable to the head office. The data privacy laws are country-specific.
3. Right Answer: C
Explanation: If the organization is in compliance through existing controls, the need to perform other work related to the regulation is not a priority. The other choices are appropriate and important; however, they are actions that are subsequent and will depend on whether there is an existing control gap.
4. Right Answer: B
Explanation: The security steering group comprises senior management of key business functions and has the primary objective to align the security strategy with the business direction. Option A is incorrect because all business areas may not be required to be covered by information security; but, if they do, the main purpose of the steering committee would be alignment more so than coverage. While raising awareness is important, this goal would not be carried out by the committee itself.The steering committee may delegate part of the decision making to the information security manager; however, if it retains this authority, it is not the primary' goal.
5. Right Answer: D
Explanation: A policy is a high-level statement of an organization's beliefs, goals, roles and objectives. Baselines assume a minimum security level throughout an organization.The information security strategy aligns the information security program with business objectives rather than making control statements. A procedure is a step-by- step process of how policy and standards will be implemented.
Explanation: The link to business objectives is the most important clement that would be considered by management. Information security metrics should be put in the context of impact to management objectives. Although important, the security knowledge required would not be the first element to be considered. Baselining against the information security metrics will be considered later in the process.
2. Right Answer: B
Explanation: As a subsidiary, the local entity will have to comply with the local law for data collected in the country. Senior management will be accountable for this legal compliance. The policy, being internal, cannot supersede the local law. Additionally, with local regulations differing from the country in which the organization is headquartered, it is improbable that a group wide policy will address all the local legal requirements. In case of data collected locally (and potentially transferred to a country with a different data privacy regulation), the local law applies, not the law applicable to the head office. The data privacy laws are country-specific.
3. Right Answer: C
Explanation: If the organization is in compliance through existing controls, the need to perform other work related to the regulation is not a priority. The other choices are appropriate and important; however, they are actions that are subsequent and will depend on whether there is an existing control gap.
4. Right Answer: B
Explanation: The security steering group comprises senior management of key business functions and has the primary objective to align the security strategy with the business direction. Option A is incorrect because all business areas may not be required to be covered by information security; but, if they do, the main purpose of the steering committee would be alignment more so than coverage. While raising awareness is important, this goal would not be carried out by the committee itself.The steering committee may delegate part of the decision making to the information security manager; however, if it retains this authority, it is not the primary' goal.
5. Right Answer: D
Explanation: A policy is a high-level statement of an organization's beliefs, goals, roles and objectives. Baselines assume a minimum security level throughout an organization.The information security strategy aligns the information security program with business objectives rather than making control statements. A procedure is a step-by- step process of how policy and standards will be implemented.
Tags:
it certification certified it it exams isaca certification isaca cgeit isaca cisa isaca cism isaca cobit 5 isaca crisc isaca questions practice exams pratice quests risc maangement it management it questions isaca answers isaca practice isaca dumps isaca test test questions questins and answer explanation0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment