CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
CISM—Certified Information Security Manager - Part 21
1. The MOST important characteristic of good security policies is that they:
A) state expectations of IT management.
B) state only one general security mandate.
C) are aligned with organizational goals.
D) govern the creation of procedures and guidelines.
2. An information security manager must understand the relationship between information security and business operations in order to:
A) support organizational objectives.
B) determine likely areas of noncompliance.
C) assess the possible impacts of compromise.
D) understand the threats to the business.
3. The MOST effective approach to address issues that arise between IT management, business units and security management when implementing a new security strategy is for the information security manager to:
A) escalate issues to an external third party for resolution.
B) ensure that senior management provides authority for security to address the issues.
C) insist that managers or units not in agreement with the security solution accept the risk.
D) refer the issues to senior management along with any security recommendations.
4. Obtaining senior management support for establishing a warm site can BEST be accomplished by:
A) establishing a periodic risk assessment.
B) promoting regulatory requirements.
C) developing a business case.
D) developing effective metrics.
5. Which of the following would be the BEST option to improve accountability for a system administrator who has security functions?
A) Include security responsibilities in the job description
B) Require the administrator to obtain security certification
C) Train the system administrator on penetration testing and vulnerability assessment
D) Train the system administrator on risk assessment
A) state expectations of IT management.
B) state only one general security mandate.
C) are aligned with organizational goals.
D) govern the creation of procedures and guidelines.
2. An information security manager must understand the relationship between information security and business operations in order to:
A) support organizational objectives.
B) determine likely areas of noncompliance.
C) assess the possible impacts of compromise.
D) understand the threats to the business.
3. The MOST effective approach to address issues that arise between IT management, business units and security management when implementing a new security strategy is for the information security manager to:
A) escalate issues to an external third party for resolution.
B) ensure that senior management provides authority for security to address the issues.
C) insist that managers or units not in agreement with the security solution accept the risk.
D) refer the issues to senior management along with any security recommendations.
4. Obtaining senior management support for establishing a warm site can BEST be accomplished by:
A) establishing a periodic risk assessment.
B) promoting regulatory requirements.
C) developing a business case.
D) developing effective metrics.
5. Which of the following would be the BEST option to improve accountability for a system administrator who has security functions?
A) Include security responsibilities in the job description
B) Require the administrator to obtain security certification
C) Train the system administrator on penetration testing and vulnerability assessment
D) Train the system administrator on risk assessment
1. Right Answer: C
Explanation: The most important characteristic of good security policies is that they be aligned with organizational goals. Failure to align policies and goals significantly reduces the value provided by the policies. Stating expectations of IT management omits addressing overall organizational goals and objectives. Stating only one general security mandate is the next best option since policies should be clear; otherwise, policies may be confusing and difficult to understand. Governing the creation of procedures and guidelines is most relevant to information security standards.
2. Right Answer: A
Explanation: Security exists to provide a level of predictability for operations, support for the activities of the organization and to ensure preservation of the organization.Business operations must be the driver for security activities in order to set meaningful objectives, determine and manage the risks to those activities, and provide a basis to measure the effectiveness of and provide guidance to the security program. Regulatory compliance may or may not be an organizational requirement. If compliance is a requirement, some level of compliance must be supported but compliance is only one aspect. It is necessary to understand the business goals in order to assess potential impacts and evaluate threats. These are some of the ways in which security supports organizational objectives, but they are not the only ways.
3. Right Answer: D
Explanation: Senior management is in the best position to arbitrate since they will look at the overall needs of the business in reaching a decision. The authority may be delegated to others by senior management after their review of the issues and security recommendations. Units should not be asked to accept the risk without first receiving input from senior management.
4. Right Answer: C
Explanation: Business case development, including a cost-benefit analysis, will be most persuasive to management. A risk assessment may be included in the business ease, but by itself will not be as effective in gaining management support. Informing management of regulatory requirements may help gain support for initiatives, but given that more than half of all organizations are not in compliance with regulations, it is unlikely to be sufficient in many cases. Good metrics which provide assurance that initiatives are meeting organizational goals will also be useful, but are insufficient in gaining management support.
5. Right Answer: A
Explanation: The first step to improve accountability is to include security responsibilities in a job description. This documents what is expected and approved by the organization. The other choices are methods to ensure that the system administrator has the training to fulfill the responsibilities included in the job description.
Explanation: The most important characteristic of good security policies is that they be aligned with organizational goals. Failure to align policies and goals significantly reduces the value provided by the policies. Stating expectations of IT management omits addressing overall organizational goals and objectives. Stating only one general security mandate is the next best option since policies should be clear; otherwise, policies may be confusing and difficult to understand. Governing the creation of procedures and guidelines is most relevant to information security standards.
2. Right Answer: A
Explanation: Security exists to provide a level of predictability for operations, support for the activities of the organization and to ensure preservation of the organization.Business operations must be the driver for security activities in order to set meaningful objectives, determine and manage the risks to those activities, and provide a basis to measure the effectiveness of and provide guidance to the security program. Regulatory compliance may or may not be an organizational requirement. If compliance is a requirement, some level of compliance must be supported but compliance is only one aspect. It is necessary to understand the business goals in order to assess potential impacts and evaluate threats. These are some of the ways in which security supports organizational objectives, but they are not the only ways.
3. Right Answer: D
Explanation: Senior management is in the best position to arbitrate since they will look at the overall needs of the business in reaching a decision. The authority may be delegated to others by senior management after their review of the issues and security recommendations. Units should not be asked to accept the risk without first receiving input from senior management.
4. Right Answer: C
Explanation: Business case development, including a cost-benefit analysis, will be most persuasive to management. A risk assessment may be included in the business ease, but by itself will not be as effective in gaining management support. Informing management of regulatory requirements may help gain support for initiatives, but given that more than half of all organizations are not in compliance with regulations, it is unlikely to be sufficient in many cases. Good metrics which provide assurance that initiatives are meeting organizational goals will also be useful, but are insufficient in gaining management support.
5. Right Answer: A
Explanation: The first step to improve accountability is to include security responsibilities in a job description. This documents what is expected and approved by the organization. The other choices are methods to ensure that the system administrator has the training to fulfill the responsibilities included in the job description.
Tags:
it certification certified it it exams isaca certification isaca cgeit isaca cisa isaca cism isaca cobit 5 isaca crisc isaca questions practice exams pratice quests risc maangement it management it questions isaca answers isaca practice isaca dumps isaca test test questions questins and answer explanation0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment