CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
CISM—Certified Information Security Manager - Part 24
1. Which of the following would help to change an organization's security culture?
A) Develop procedures to enforce the information security policy
B) Obtain strong management support
C) Implement strict technical security controls
D) Periodically audit compliance with the information security policy
2. The BEST way to justify the implementation of a single sign-on (SSO) product is to use:
A) return on investment (ROD.
B) a vulnerability assessment.
C) annual loss expectancy (ALE).
D) a business case.
3. The FIRST step in establishing a security governance program is to:
A) conduct a risk assessment.
B) conduct a workshop for all end users.
C) prepare a security budget.
D) obtain high-level sponsorship.
4. An IS manager has decided to implement a security system to monitor access to the Internet and prevent access to numerous sites. Immediately upon installation, employees Hood the IT helpdesk with complaints of being unable to perform business functions on Internet sites. This is an example of:
A) conflicting security controls with organizational needs.
B) strong protection of information resources.
C) implementing appropriate controls to reduce risk.
D) proving information security's protective abilities.
5. An organization's information security strategy should be based on:
A) managing risk relative to business objectives.
B) managing risk to a zero level and minimizing insurance premiums.
C) avoiding occurrence of risks so that insurance is not required.
D) transferring most risks to insurers and saving on control costs.
A) Develop procedures to enforce the information security policy
B) Obtain strong management support
C) Implement strict technical security controls
D) Periodically audit compliance with the information security policy
2. The BEST way to justify the implementation of a single sign-on (SSO) product is to use:
A) return on investment (ROD.
B) a vulnerability assessment.
C) annual loss expectancy (ALE).
D) a business case.
3. The FIRST step in establishing a security governance program is to:
A) conduct a risk assessment.
B) conduct a workshop for all end users.
C) prepare a security budget.
D) obtain high-level sponsorship.
4. An IS manager has decided to implement a security system to monitor access to the Internet and prevent access to numerous sites. Immediately upon installation, employees Hood the IT helpdesk with complaints of being unable to perform business functions on Internet sites. This is an example of:
A) conflicting security controls with organizational needs.
B) strong protection of information resources.
C) implementing appropriate controls to reduce risk.
D) proving information security's protective abilities.
5. An organization's information security strategy should be based on:
A) managing risk relative to business objectives.
B) managing risk to a zero level and minimizing insurance premiums.
C) avoiding occurrence of risks so that insurance is not required.
D) transferring most risks to insurers and saving on control costs.
1. Right Answer: B
Explanation: Management support and pressure will help to change an organization's culture. Procedures will support an information security policy, but cannot change the culture of the organization. Technical controls will provide more security to an information system and staff; however, this does not mean the culture will be changed. Auditing will help to ensure the effectiveness of the information security policy; however, auditing is not effective in changing the culture of the company.
2. Right Answer: D
Explanation: A business case shows both direct and indirect benefits, along with the investment required and the expected returns, thus making it useful to present to senior management. Return on investment (ROD would only provide the costs needed to preclude specific risks, and would not provide other indirect benefits such as process improvement and learning. A vulnerability assessment is more technical in nature and would only identify and assess the vulnerabilities. This would also not provide insights on indirect benefits. Annual loss expectancy (ALE) would not weigh the advantages of implementing single sign-on (SSO) in comparison to the cost of implementation.
3. Right Answer: D
Explanation: The establishment of a security governance program is possible only with the support and sponsorship of top management since security governance projects are enterprise wide and integrated into business processes. Conducting a risk assessment, conducting a workshop for all end users and preparing a security budget all follow once high-level sponsorship is obtained.
4. Right Answer: A
Explanation: The needs of the organization were not taken into account, so there is a conflict. This example is not strong protection; it is poorly configured. Implementing appropriate controls to reduce risk is not an appropriate control as it is being used. This does not prove the ability to protect, but proves the ability to interfere with business.
5. Right Answer: A
Explanation: Organizations must manage risks to a level that is acceptable for their business model, goals and objectives. A zero-level approach may be costly and not provide the effective benefit of additional revenue to the organization. Long-term maintenance of this approach may not be cost effective. Risks vary as business models, geography, and regulatory- and operational processes change. Insurance covers only a small portion of risks and requires that the organization have certain operational controls in place.
Explanation: Management support and pressure will help to change an organization's culture. Procedures will support an information security policy, but cannot change the culture of the organization. Technical controls will provide more security to an information system and staff; however, this does not mean the culture will be changed. Auditing will help to ensure the effectiveness of the information security policy; however, auditing is not effective in changing the culture of the company.
2. Right Answer: D
Explanation: A business case shows both direct and indirect benefits, along with the investment required and the expected returns, thus making it useful to present to senior management. Return on investment (ROD would only provide the costs needed to preclude specific risks, and would not provide other indirect benefits such as process improvement and learning. A vulnerability assessment is more technical in nature and would only identify and assess the vulnerabilities. This would also not provide insights on indirect benefits. Annual loss expectancy (ALE) would not weigh the advantages of implementing single sign-on (SSO) in comparison to the cost of implementation.
3. Right Answer: D
Explanation: The establishment of a security governance program is possible only with the support and sponsorship of top management since security governance projects are enterprise wide and integrated into business processes. Conducting a risk assessment, conducting a workshop for all end users and preparing a security budget all follow once high-level sponsorship is obtained.
4. Right Answer: A
Explanation: The needs of the organization were not taken into account, so there is a conflict. This example is not strong protection; it is poorly configured. Implementing appropriate controls to reduce risk is not an appropriate control as it is being used. This does not prove the ability to protect, but proves the ability to interfere with business.
5. Right Answer: A
Explanation: Organizations must manage risks to a level that is acceptable for their business model, goals and objectives. A zero-level approach may be costly and not provide the effective benefit of additional revenue to the organization. Long-term maintenance of this approach may not be cost effective. Risks vary as business models, geography, and regulatory- and operational processes change. Insurance covers only a small portion of risks and requires that the organization have certain operational controls in place.
Tags:
it certification certified it it exams isaca certification isaca cgeit isaca cisa isaca cism isaca cobit 5 isaca crisc isaca questions practice exams pratice quests risc maangement it management it questions isaca answers isaca practice isaca dumps isaca test test questions questins and answer explanation0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment