CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
CISA—Certified Information Systems Auditor - Part 211
1. The output of the risk management process is an input for making:
A) business plans.
B) audit charters.
C) security policy decisions.
D) software design decisions.
2. An IS auditor was hired to review e-business security. The IS auditor's first task was to examine each existing e-business application looking for vulnerabilities.What would be the next task?
A) Report the risks to the CIO and CEO immediately
B) Examine e-business application in development
C) Identify threats and likelihood of occurrence
D) Check the budget available for risk management
3. Which of the following is a mechanism for mitigating risks?
A) Security and control practices
B) Property and liability insurance
C) Audit and certification
D) Contracts and service level agreements (SLAs)
4. When developing a risk management program, what is the FIRST activity to be performed?
A) Threat assessment
B) Classification of data
C) Inventory of assets
D) Criticality analysis
5. A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential losses, the team should:
A) compute the amortization of the related assets.
B) calculate a return on investment (ROI).
C) apply a qualitative approach.
D) spend the time needed to define exactly the loss amount.
A) business plans.
B) audit charters.
C) security policy decisions.
D) software design decisions.
2. An IS auditor was hired to review e-business security. The IS auditor's first task was to examine each existing e-business application looking for vulnerabilities.What would be the next task?
A) Report the risks to the CIO and CEO immediately
B) Examine e-business application in development
C) Identify threats and likelihood of occurrence
D) Check the budget available for risk management
3. Which of the following is a mechanism for mitigating risks?
A) Security and control practices
B) Property and liability insurance
C) Audit and certification
D) Contracts and service level agreements (SLAs)
4. When developing a risk management program, what is the FIRST activity to be performed?
A) Threat assessment
B) Classification of data
C) Inventory of assets
D) Criticality analysis
5. A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential losses, the team should:
A) compute the amortization of the related assets.
B) calculate a return on investment (ROI).
C) apply a qualitative approach.
D) spend the time needed to define exactly the loss amount.
1. Right Answer: C
Explanation: The risk management process is about making specific, security-related decisions, such as the level of acceptable risk. Choices A, B and D are not ultimate goals of the risk management process.
2. Right Answer: C
Explanation: An IS auditor must identify the assets, look for vulnerabilities, and then identify the threats and the likelihood of occurrence. Choices A, B and D should be discussed with the CIO, and a report should be delivered to the CEO. The report should include the findings along with priorities and costs.
3. Right Answer: A
Explanation: Risks are mitigated by implementing appropriate security and control practices. Insurance is a mechanism for transferring risk. Audit and certification are mechanisms of risk assurance, while contracts and SLAs are mechanisms of risk allocation.
4. Right Answer: C
Explanation: Identification of the assets to be protected is the first step in the development of a risk management program. A listing of the threats that can affect the performance of these assets and criticality analysis are later steps in the process. Data classification is required for defining access controls and in criticality analysis.
5. Right Answer: C
Explanation: The common practice, when it is difficult to calculate the financial losses, is to take a qualitative approach, in which the manager affected by the risk defines the financial loss in terms of a weighted factor {e.g., one is a very low impact to the business and five is a very high impact). An ROI is computed when there is predictable savings or revenues that can be compared to the investment needed to realize the revenues. Amortization is used in a profit and loss statement, not in computing potential losses. Spending the time needed to define exactly the total amount is normally a wrong approach. If it has been difficult to estimate potential losses (e.g., losses derived from erosion of public image due to a hack attack), that situation is not likely to change, ant at the end of the day, the result will be a not well-supported evaluation.
Explanation: The risk management process is about making specific, security-related decisions, such as the level of acceptable risk. Choices A, B and D are not ultimate goals of the risk management process.
2. Right Answer: C
Explanation: An IS auditor must identify the assets, look for vulnerabilities, and then identify the threats and the likelihood of occurrence. Choices A, B and D should be discussed with the CIO, and a report should be delivered to the CEO. The report should include the findings along with priorities and costs.
3. Right Answer: A
Explanation: Risks are mitigated by implementing appropriate security and control practices. Insurance is a mechanism for transferring risk. Audit and certification are mechanisms of risk assurance, while contracts and SLAs are mechanisms of risk allocation.
4. Right Answer: C
Explanation: Identification of the assets to be protected is the first step in the development of a risk management program. A listing of the threats that can affect the performance of these assets and criticality analysis are later steps in the process. Data classification is required for defining access controls and in criticality analysis.
5. Right Answer: C
Explanation: The common practice, when it is difficult to calculate the financial losses, is to take a qualitative approach, in which the manager affected by the risk defines the financial loss in terms of a weighted factor {e.g., one is a very low impact to the business and five is a very high impact). An ROI is computed when there is predictable savings or revenues that can be compared to the investment needed to realize the revenues. Amortization is used in a profit and loss statement, not in computing potential losses. Spending the time needed to define exactly the total amount is normally a wrong approach. If it has been difficult to estimate potential losses (e.g., losses derived from erosion of public image due to a hack attack), that situation is not likely to change, ant at the end of the day, the result will be a not well-supported evaluation.
Tags:
it certification certified it it exams isaca certification isaca cgeit isaca cisa isaca cism isaca cobit 5 isaca crisc isaca questions practice exams pratice quests risc maangement it management it questions isaca answers isaca practice isaca dumps isaca test test questions questins and answer explanation0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment