CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
CISA—Certified Information Systems Auditor - Part 203
1. An IS auditor finds that not all employees are aware of the enterprise's information security policy. The IS auditor should conclude that:
A) this lack of knowledge may lead to unintentional disclosure of sensitive information.
B) information security is not critical to all functions.
C) IS audit should provide security training to the employees.
D) the audit finding will cause management to provide continuous training to staff.
2. The development of an IS security policy is ultimately the responsibility of the:
A) IS department.
B) security committee.
C) security administrator.
D) board of directors.
3. Which of the following programs would a sound information security policy MOST likely include to handle suspected intrusions?
A) Response
B) Correction
C) Detection
D) Monitoring
4. Which of the following should be included in an organization's IS security policy?
A) A list of key IT resources to be secured
B) The basis for access authorization
C) Identity of sensitive security features
D) Relevant software security features
5. Which of the following is the initial step in creating a firewall policy?
A) A cost-benefit analysis of methods for securing the applications
B) Identification of network applications to be externally accessed
C) Identification of vulnerabilities associated with network applications to be externally accessed
D) Creation of an applications traffic matrix showing protection methods
A) this lack of knowledge may lead to unintentional disclosure of sensitive information.
B) information security is not critical to all functions.
C) IS audit should provide security training to the employees.
D) the audit finding will cause management to provide continuous training to staff.
2. The development of an IS security policy is ultimately the responsibility of the:
A) IS department.
B) security committee.
C) security administrator.
D) board of directors.
3. Which of the following programs would a sound information security policy MOST likely include to handle suspected intrusions?
A) Response
B) Correction
C) Detection
D) Monitoring
4. Which of the following should be included in an organization's IS security policy?
A) A list of key IT resources to be secured
B) The basis for access authorization
C) Identity of sensitive security features
D) Relevant software security features
5. Which of the following is the initial step in creating a firewall policy?
A) A cost-benefit analysis of methods for securing the applications
B) Identification of network applications to be externally accessed
C) Identification of vulnerabilities associated with network applications to be externally accessed
D) Creation of an applications traffic matrix showing protection methods
1. Right Answer: A
Explanation: All employees should be aware of the enterprise's information security policy to prevent unintentional disclosure of sensitive information. Training is a preventive control. Security awareness programs for employees can prevent unintentional disclosure of sensitive information to outsiders.
2. Right Answer: D
Explanation: Normally, the designing of an information systems security policy is the responsibility of top management or the board of directors. The IS department is responsible for the execution of the policy, having no authority in framing the policy. The security committee also functions within the broad security policy framed by the board of directors. The security administrator is responsible for implementing, monitoring and enforcing the security rules that management has established and authorized.
3. Right Answer: A
Explanation: A sound IS security policy will most likely outline a response program to handle suspected intrusions. Correction, detection and monitoring programs are all aspects of information security, but will not likely be included in an IS security policy statement.
4. Right Answer: B
Explanation: The security policy provides the broad framework of security, as laid down and approved by senior management. It includes a definition of those authorized to grant access and the basis for granting the access. Choices A, B and C are more detailed than that which should be included in a policy.
5. Right Answer: B
Explanation: Identification of the applications required across the network should be identified first. After identification, depending on the physical location of these applications in the network and the network model, the person in charge will be able to understand the need for, and possible methods of, controlling access to these applications. Identifying methods to protect against identified vulnerabilities and their comparative cost-benefit analysis is the third step. Having identified the applications, the next step is to identify vulnerabilities (weaknesses) associated with the network applications. The next step is to analyze the application traffic and create a matrix showing how each type of traffic will be protected.
Explanation: All employees should be aware of the enterprise's information security policy to prevent unintentional disclosure of sensitive information. Training is a preventive control. Security awareness programs for employees can prevent unintentional disclosure of sensitive information to outsiders.
2. Right Answer: D
Explanation: Normally, the designing of an information systems security policy is the responsibility of top management or the board of directors. The IS department is responsible for the execution of the policy, having no authority in framing the policy. The security committee also functions within the broad security policy framed by the board of directors. The security administrator is responsible for implementing, monitoring and enforcing the security rules that management has established and authorized.
3. Right Answer: A
Explanation: A sound IS security policy will most likely outline a response program to handle suspected intrusions. Correction, detection and monitoring programs are all aspects of information security, but will not likely be included in an IS security policy statement.
4. Right Answer: B
Explanation: The security policy provides the broad framework of security, as laid down and approved by senior management. It includes a definition of those authorized to grant access and the basis for granting the access. Choices A, B and C are more detailed than that which should be included in a policy.
5. Right Answer: B
Explanation: Identification of the applications required across the network should be identified first. After identification, depending on the physical location of these applications in the network and the network model, the person in charge will be able to understand the need for, and possible methods of, controlling access to these applications. Identifying methods to protect against identified vulnerabilities and their comparative cost-benefit analysis is the third step. Having identified the applications, the next step is to identify vulnerabilities (weaknesses) associated with the network applications. The next step is to analyze the application traffic and create a matrix showing how each type of traffic will be protected.
Tags:
it certification certified it it exams isaca certification isaca cgeit isaca cisa isaca cism isaca cobit 5 isaca crisc isaca questions practice exams pratice quests risc maangement it management it questions isaca answers isaca practice isaca dumps isaca test test questions questins and answer explanation0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment