CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
CISM—Certified Information Security Manager - Part 60
1. Which of the following techniques MOST clearly indicates whether specific risk-reduction controls should be implemented?
A) Countermeasure cost-benefit analysis
B) Penetration testing
C) Frequent risk assessment programs
D) Annual loss expectancy (ALE) calculation
2. An organization has decided to implement additional security controls to treat the risks of a new process. This is an example of:
A) eliminating the risk.
B) transferring the risk.
C) mitigating the risk.
D) accepting the risk.
3. Which of the following roles is PRIMARILY responsible for determining the information classification levels for a given information asset?
A) Manager
B) Custodian
C) User
D) Owner
4. The PRIMARY reason for assigning classes of sensitivity and criticality to information resources is to provide a basis for:
A) determining the scope for inclusion in an information security program.
B) defining the level of access controls.
C) justifying costs for information resources.
D) determining the overall budget of an information security program.
5. An organization is already certified to an international security standard. Which mechanism would BEST help to further align the organization with other data security regulatory requirements as per new business needs?
A) Key performance indicators (KPIs)
B) Business impact analysis (BIA)
C) Gap analysis
D) Technical vulnerability assessment
A) Countermeasure cost-benefit analysis
B) Penetration testing
C) Frequent risk assessment programs
D) Annual loss expectancy (ALE) calculation
2. An organization has decided to implement additional security controls to treat the risks of a new process. This is an example of:
A) eliminating the risk.
B) transferring the risk.
C) mitigating the risk.
D) accepting the risk.
3. Which of the following roles is PRIMARILY responsible for determining the information classification levels for a given information asset?
A) Manager
B) Custodian
C) User
D) Owner
4. The PRIMARY reason for assigning classes of sensitivity and criticality to information resources is to provide a basis for:
A) determining the scope for inclusion in an information security program.
B) defining the level of access controls.
C) justifying costs for information resources.
D) determining the overall budget of an information security program.
5. An organization is already certified to an international security standard. Which mechanism would BEST help to further align the organization with other data security regulatory requirements as per new business needs?
A) Key performance indicators (KPIs)
B) Business impact analysis (BIA)
C) Gap analysis
D) Technical vulnerability assessment
1. Right Answer: A
Explanation: In a countermeasure cost-benefit analysis, the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure. Penetration testing may indicate the extent of a weakness but, by itself, will not establish the cost/benefit of a control. Frequent risk assessment programs will certainly establish what risk exists but will not determine the maximum cost of controls. Annual loss expectancy (ALE) is a measure which will contribute to the value of the risk but. alone, will not justify a control.
2. Right Answer: C
Explanation: Risk can never be eliminated entirely. Transferring the risk gives it away such as buying insurance so the insurance company can take the risk. Implementing additional controls is an example of mitigating risk. Doing nothing to mitigate the risk would be an example of accepting risk.
3. Right Answer: D
Explanation: Although the information owner may be in a management position and is also considered a user, the information owner role has the responsibility for determining information classification levels. Management is responsible for higher-level issues such as providing and approving budget, supporting activities, etc. The information custodian is responsible for day-to-day security tasks such as protecting information, backing up information, etc. Users are the lowest level. They use the data, but do not classify the data. The owner classifies the data.
4. Right Answer: B
Explanation: The assigned class of sensitivity and criticality of the information resource determines the level of access controls to be put in place. The assignment of sensitivity and criticality takes place with the information assets that have already been included in the information security program and has only an indirect bearing on the costs to be incurred. The assignment of sensitivity and criticality contributes to, but does not decide, the overall budget of the information security program.
5. Right Answer: C
Explanation: Gap analysis would help identify the actual gaps between the desired state and the current implementation of information security management. BIA is primarily used for business continuity planning. Technical vulnerability assessment is used for detailed assessment of technical controls, which would come later in the process and would not provide complete information in order to identify gaps.
Explanation: In a countermeasure cost-benefit analysis, the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure. Penetration testing may indicate the extent of a weakness but, by itself, will not establish the cost/benefit of a control. Frequent risk assessment programs will certainly establish what risk exists but will not determine the maximum cost of controls. Annual loss expectancy (ALE) is a measure which will contribute to the value of the risk but. alone, will not justify a control.
2. Right Answer: C
Explanation: Risk can never be eliminated entirely. Transferring the risk gives it away such as buying insurance so the insurance company can take the risk. Implementing additional controls is an example of mitigating risk. Doing nothing to mitigate the risk would be an example of accepting risk.
3. Right Answer: D
Explanation: Although the information owner may be in a management position and is also considered a user, the information owner role has the responsibility for determining information classification levels. Management is responsible for higher-level issues such as providing and approving budget, supporting activities, etc. The information custodian is responsible for day-to-day security tasks such as protecting information, backing up information, etc. Users are the lowest level. They use the data, but do not classify the data. The owner classifies the data.
4. Right Answer: B
Explanation: The assigned class of sensitivity and criticality of the information resource determines the level of access controls to be put in place. The assignment of sensitivity and criticality takes place with the information assets that have already been included in the information security program and has only an indirect bearing on the costs to be incurred. The assignment of sensitivity and criticality contributes to, but does not decide, the overall budget of the information security program.
5. Right Answer: C
Explanation: Gap analysis would help identify the actual gaps between the desired state and the current implementation of information security management. BIA is primarily used for business continuity planning. Technical vulnerability assessment is used for detailed assessment of technical controls, which would come later in the process and would not provide complete information in order to identify gaps.
Tags:
it certification certified it it exams isaca certification isaca cgeit isaca cisa isaca cism isaca cobit 5 isaca crisc isaca questions practice exams pratice quests risc maangement it management it questions isaca answers isaca practice isaca dumps isaca test test questions questins and answer explanation0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment