CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
CISM—Certified Information Security Manager - Part 201
1. Which of the following is MOST critical for the successful implementation and maintenance of a security policy?
A) Assimilation of the framework and intent of a written security policy by all appropriate parties
B) Management support and approval for the implementation and maintenance of a security policy
C) Enforcement of security rules by providing punitive actions for any violation of security rules
D) Stringent implementation, monitoring and enforcing of rules by the security officer through access control software
2. Which of the following is a risk of cross-training?
A) Increases the dependence on one employee
B) Does not assist in succession planning
C) One employee may know all parts of a system
D) Does not help in achieving a continuity of operations
3. Which of the following reduces the potential impact of social engineering attacks?
A) Compliance with regulatory requirements
B) Promoting ethical understanding
C) Security awareness programs
D) Effective performance incentives
4. Which of the following activities performed by a database administrator (DBA) should be performed by a different person?
A) Deleting database activity logs
B) Implementing database optimization tools
C) Monitoring database usage
D) Defining backup and recovery procedures
5. When segregation of duties concerns exists between IT support staff and end users, what would be a suitable compensating control?
A) Restricting physical access to computing equipment
B) Reviewing transaction and application logs
C) Performing background checks prior to hiring IT staff
D) Locking user sessions after a specified period of inactivity
A) Assimilation of the framework and intent of a written security policy by all appropriate parties
B) Management support and approval for the implementation and maintenance of a security policy
C) Enforcement of security rules by providing punitive actions for any violation of security rules
D) Stringent implementation, monitoring and enforcing of rules by the security officer through access control software
2. Which of the following is a risk of cross-training?
A) Increases the dependence on one employee
B) Does not assist in succession planning
C) One employee may know all parts of a system
D) Does not help in achieving a continuity of operations
3. Which of the following reduces the potential impact of social engineering attacks?
A) Compliance with regulatory requirements
B) Promoting ethical understanding
C) Security awareness programs
D) Effective performance incentives
4. Which of the following activities performed by a database administrator (DBA) should be performed by a different person?
A) Deleting database activity logs
B) Implementing database optimization tools
C) Monitoring database usage
D) Defining backup and recovery procedures
5. When segregation of duties concerns exists between IT support staff and end users, what would be a suitable compensating control?
A) Restricting physical access to computing equipment
B) Reviewing transaction and application logs
C) Performing background checks prior to hiring IT staff
D) Locking user sessions after a specified period of inactivity
1. Right Answer: A
Explanation: Assimilation of the framework and intent of a written security policy by the users of the system is critical to the successful implementation and maintenance of the security policy. A good password system may exist, but if the users of the system keep passwords written on their desk, the password is of little value.Management support and commitment is no doubt important, but for successful implementation and maintenance of security policy, educating the users on the importance of security is paramount. The stringent implementation, monitoring and enforcing of rules by the security officer through access control software, and provision for punitive actions for violation of security rules, is also required, along with the user's education on the importance of security.
2. Right Answer: C
Explanation: When cross-training, it would be prudent to first assess the risk of any person knowing all parts of a system and what exposures this may cause. Cross-training has the advantage of decreasing dependence on one employee and, hence, can be part of succession planning. It also provides backup for personnel in the event of absence for any reason and thereby facilitates the continuity of operations.
3. Right Answer: C
Explanation: Because social engineering is based on deception of the user, the best countermeasure or defense is a security awareness program. The other choices are not user-focused.
4. Right Answer: A
Explanation: Since database activity logs record activities performed by the database administrator (DBA), deleting them should be performed by an individual other than theDBA. This is a compensating control to aid in ensuring an appropriate segregation of duties and is associated with the DBA's role. A DBA should perform the other activities as part of the normal operations.
5. Right Answer: B
Explanation: Only reviewing transaction and application logs directly addresses the threat posed by poor segregation of duties. The review is a means of detecting inappropriate behavior and also discourages abuse, because people who may otherwise be tempted to exploit the situation are aware of the likelihood of being caught. Inadequate segregation of duties is more likely to be exploited via logical access to data and computing resources rather than physical access. Choice C is a useful control to ensure IT staff are trustworthy and competent but does not directly address the lack of an optimal segregation of duties. Choice D acts to prevent unauthorized users from gaining system access, but the issue of a lack of segregation of duties is more the misuse (deliberately or inadvertently} of access privileges that have officially been granted.
Explanation: Assimilation of the framework and intent of a written security policy by the users of the system is critical to the successful implementation and maintenance of the security policy. A good password system may exist, but if the users of the system keep passwords written on their desk, the password is of little value.Management support and commitment is no doubt important, but for successful implementation and maintenance of security policy, educating the users on the importance of security is paramount. The stringent implementation, monitoring and enforcing of rules by the security officer through access control software, and provision for punitive actions for violation of security rules, is also required, along with the user's education on the importance of security.
2. Right Answer: C
Explanation: When cross-training, it would be prudent to first assess the risk of any person knowing all parts of a system and what exposures this may cause. Cross-training has the advantage of decreasing dependence on one employee and, hence, can be part of succession planning. It also provides backup for personnel in the event of absence for any reason and thereby facilitates the continuity of operations.
3. Right Answer: C
Explanation: Because social engineering is based on deception of the user, the best countermeasure or defense is a security awareness program. The other choices are not user-focused.
4. Right Answer: A
Explanation: Since database activity logs record activities performed by the database administrator (DBA), deleting them should be performed by an individual other than theDBA. This is a compensating control to aid in ensuring an appropriate segregation of duties and is associated with the DBA's role. A DBA should perform the other activities as part of the normal operations.
5. Right Answer: B
Explanation: Only reviewing transaction and application logs directly addresses the threat posed by poor segregation of duties. The review is a means of detecting inappropriate behavior and also discourages abuse, because people who may otherwise be tempted to exploit the situation are aware of the likelihood of being caught. Inadequate segregation of duties is more likely to be exploited via logical access to data and computing resources rather than physical access. Choice C is a useful control to ensure IT staff are trustworthy and competent but does not directly address the lack of an optimal segregation of duties. Choice D acts to prevent unauthorized users from gaining system access, but the issue of a lack of segregation of duties is more the misuse (deliberately or inadvertently} of access privileges that have officially been granted.
Tags:
it certification certified it it exams isaca certification isaca cgeit isaca cisa isaca cism isaca cobit 5 isaca crisc isaca questions practice exams pratice quests risc maangement it management it questions isaca answers isaca practice isaca dumps isaca test test questions questins and answer explanation0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment