CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
CISM—Certified Information Security Manager - Part 200
1. Which of the following is the initial step in creating a firewall policy?
A) A cost-benefit analysis of methods for securing the applications
B) Identification of network applications to be externally accessed
C) Identification of vulnerabilities associated with network applications to be externally accessed
D) Creation of an applications traffic matrix showing protection methods
2. Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems?
A) User management coordination does not exist.
B) Specific user accountability cannot be established.
C) Unauthorized users may have access to originate, modify or delete data.
D) Audit recommendations may not be implemented.
3. In an organization, the responsibilities for IT security are clearly assigned and enforced and an IT security risk and impact analysis is consistently performed. This represents which level of ranking in the information security governance maturity model?
A) Optimized
B) Managed
C) Defined
D) Repeatable
4. When developing a security architecture, which of the following steps should be executed FIRST?
A) Developing security procedures
B) Defining a security policy
C) Specifying an access control methodology
D) Defining roles and responsibilities
5. An organization provides information to its supply chain partners and customers through an extranet infrastructure. Which of the following should be theGREATEST concern to an IS auditor reviewing the firewall security architecture?
A) A Secure Sockets Layer (SSL) has been implemented for user authentication and remote administration of the firewall.
B) Firewall policies are updated on the basis of changing requirements.
C) inbound traffic is blocked unless the traffic type and connections have been specifically permitted.
D) The firewall is placed on top of the commercial operating system with all installation options.
A) A cost-benefit analysis of methods for securing the applications
B) Identification of network applications to be externally accessed
C) Identification of vulnerabilities associated with network applications to be externally accessed
D) Creation of an applications traffic matrix showing protection methods
2. Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems?
A) User management coordination does not exist.
B) Specific user accountability cannot be established.
C) Unauthorized users may have access to originate, modify or delete data.
D) Audit recommendations may not be implemented.
3. In an organization, the responsibilities for IT security are clearly assigned and enforced and an IT security risk and impact analysis is consistently performed. This represents which level of ranking in the information security governance maturity model?
A) Optimized
B) Managed
C) Defined
D) Repeatable
4. When developing a security architecture, which of the following steps should be executed FIRST?
A) Developing security procedures
B) Defining a security policy
C) Specifying an access control methodology
D) Defining roles and responsibilities
5. An organization provides information to its supply chain partners and customers through an extranet infrastructure. Which of the following should be theGREATEST concern to an IS auditor reviewing the firewall security architecture?
A) A Secure Sockets Layer (SSL) has been implemented for user authentication and remote administration of the firewall.
B) Firewall policies are updated on the basis of changing requirements.
C) inbound traffic is blocked unless the traffic type and connections have been specifically permitted.
D) The firewall is placed on top of the commercial operating system with all installation options.
1. Right Answer: B
Explanation: Identification of the applications required across the network should be identified first. After identification, depending on the physical location of these applications in the network and the network model, the person in charge will be able to understand the need for, and possible methods of, controlling access to these applications. Identifying methods to protect against identified vulnerabilities and their comparative cost-benefit analysis is the third step. Having identified the applications, the next step is to identify vulnerabilities (weaknesses) associated with the network applications. The next step is to analyze the application traffic and create a matrix showing how each type of traffic will be protected.
2. Right Answer: C
Explanation: Without a policy defining who has the responsibility for granting access to specific systems, there is an increased risk that one could gain (be given) system access when they should not have authorization. By assigning authority to grant access to specific users, there is a better chance that business objectives will be properly supported.
3. Right Answer: B
Explanation: Boards of directors and executive management can use the information security governance maturity model to establish rankings for security in their organizations. The ranks are nonexistent, initial, repeatable, defined, managed and optimized. When the responsibilities for IT security in an organization are clearly assigned and enforced and an IT security risk and impact analysis is consistently performed, it is said to be 'managed and measurable.'
4. Right Answer: B
Explanation: Defining a security policy for information and related technology is the first step toward building a security architecture. A security policy communicates a coherent security standard to users, management and technical staff. Security policies will often set the stage in terms of what tools and procedures are needed for an organization. The other choices should be executed only after defining a security policy.
5. Right Answer: D
Explanation: The greatest concern when implementing firewalls on top of commercial operating systems is the potential presence of vulnerabilities that could undermine the security posture of the firewall platform itself. In most circumstances, when commercial firewalls are breached that breach is facilitated by vulnerabilities in the underlying operating system. Keeping all installation options available on the system further increases the risks of vulnerabilities and exploits. Using SSL for firewall administration (choice A) is important, because changes in user and supply chain partners' roles and profiles will be dynamic. Therefore, it is appropriate to maintain the firewall policies daily (choice B), and prudent to block all inbound traffic unless permitted (choice C).
Explanation: Identification of the applications required across the network should be identified first. After identification, depending on the physical location of these applications in the network and the network model, the person in charge will be able to understand the need for, and possible methods of, controlling access to these applications. Identifying methods to protect against identified vulnerabilities and their comparative cost-benefit analysis is the third step. Having identified the applications, the next step is to identify vulnerabilities (weaknesses) associated with the network applications. The next step is to analyze the application traffic and create a matrix showing how each type of traffic will be protected.
2. Right Answer: C
Explanation: Without a policy defining who has the responsibility for granting access to specific systems, there is an increased risk that one could gain (be given) system access when they should not have authorization. By assigning authority to grant access to specific users, there is a better chance that business objectives will be properly supported.
3. Right Answer: B
Explanation: Boards of directors and executive management can use the information security governance maturity model to establish rankings for security in their organizations. The ranks are nonexistent, initial, repeatable, defined, managed and optimized. When the responsibilities for IT security in an organization are clearly assigned and enforced and an IT security risk and impact analysis is consistently performed, it is said to be 'managed and measurable.'
4. Right Answer: B
Explanation: Defining a security policy for information and related technology is the first step toward building a security architecture. A security policy communicates a coherent security standard to users, management and technical staff. Security policies will often set the stage in terms of what tools and procedures are needed for an organization. The other choices should be executed only after defining a security policy.
5. Right Answer: D
Explanation: The greatest concern when implementing firewalls on top of commercial operating systems is the potential presence of vulnerabilities that could undermine the security posture of the firewall platform itself. In most circumstances, when commercial firewalls are breached that breach is facilitated by vulnerabilities in the underlying operating system. Keeping all installation options available on the system further increases the risks of vulnerabilities and exploits. Using SSL for firewall administration (choice A) is important, because changes in user and supply chain partners' roles and profiles will be dynamic. Therefore, it is appropriate to maintain the firewall policies daily (choice B), and prudent to block all inbound traffic unless permitted (choice C).
Tags:
it certification certified it it exams isaca certification isaca cgeit isaca cisa isaca cism isaca cobit 5 isaca crisc isaca questions practice exams pratice quests risc maangement it management it questions isaca answers isaca practice isaca dumps isaca test test questions questins and answer explanation0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment