CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
1. Which of the following is a general operating system access control function?
A) Creating database profiles
B) Verifying user authorization at a field level
C) Creating individual accountability
D) Logging database access activities for monitoring access violation
2. Which of the following BEST restricts users to those functions needed to perform their duties?
A) Application level access control
B) Data encryption
C) Disabling floppy disk drives
D) Network monitoring device
3. For a discretionary access control to be effective, it must:
A) operate within the context of mandatory access controls.
B) operate independently of mandatory access controls.
C) enable users to override mandatory access controls when necessary.
D) be specifically permitted by the security policy.
4. An IS auditor examining a biometric user authentication system establishes the existence of a control weakness that would allow an unauthorized individual to update the centralized database on the server that is used to store biometric templates. Of the following, which is the BEST control against this risk?
A) Kerberos
B) Vitality detection
C) Multimodal biometrics
D) Before-image/after-image logging
5. From a control perspective, the PRIMARY objective of classifying information assets is to:
A) establish guidelines for the level of access controls that should be assigned.
B) ensure access controls are assigned to all information assets.
C) assist management and auditors in risk assessment.
D) identify which assets need to be insured against losses.
A) Creating database profiles
B) Verifying user authorization at a field level
C) Creating individual accountability
D) Logging database access activities for monitoring access violation
2. Which of the following BEST restricts users to those functions needed to perform their duties?
A) Application level access control
B) Data encryption
C) Disabling floppy disk drives
D) Network monitoring device
3. For a discretionary access control to be effective, it must:
A) operate within the context of mandatory access controls.
B) operate independently of mandatory access controls.
C) enable users to override mandatory access controls when necessary.
D) be specifically permitted by the security policy.
4. An IS auditor examining a biometric user authentication system establishes the existence of a control weakness that would allow an unauthorized individual to update the centralized database on the server that is used to store biometric templates. Of the following, which is the BEST control against this risk?
A) Kerberos
B) Vitality detection
C) Multimodal biometrics
D) Before-image/after-image logging
5. From a control perspective, the PRIMARY objective of classifying information assets is to:
A) establish guidelines for the level of access controls that should be assigned.
B) ensure access controls are assigned to all information assets.
C) assist management and auditors in risk assessment.
D) identify which assets need to be insured against losses.
1. Right Answer: C
Explanation: Creating individual accountability is the function of the general operating system. Creating database profiles, verifying user authorization at a field level and logging database access activities for monitoring access violations are all database-level access control functions.
2. Right Answer: A
Explanation: The use of application-level access control programs is a management control that restricts access by limiting users to only those functions needed to perform their duties. Data encryption and disabling floppy disk drives can restrict users to specific functions, but are not the best choices. A network monitoring device is a detective control, not a preventive control.
3. Right Answer: A
Explanation: Mandatory access controls are prohibitive; anything that is not expressly permitted is forbidden. Only within this context do discretionary controls operate, prohibiting still more access with the same exclusionary principle. When systems enforce mandatory access control policies, they must distinguish between these and the mandatory access policies that offer more flexibility.Discretionary controls do not override access controls and they do not have to be permitted in the security policy to be effective.
4. Right Answer: A
Explanation: Kerberos is a network authentication protocol for client-server applications that can be used to restrict access to the database to authorized users. Choices B andC are incorrect because vitality detection and multimodal biometrics are controls against spoofing and mimicry attacks. Before-image/after-image logging of database transactions is a detective control, as opposed to Kerberos, which is a preventative control.
5. Right Answer: A
Explanation: Information has varying degrees of sensitivity and criticality in meeting business objectives. By assigning classes or levels of sensitivity and criticality to information resources, management can establish guidelines for the level of access controls that should be assigned. End user management and the security administrator will use these classifications in their risk assessment process to assign a given class to each asset.
Explanation: Creating individual accountability is the function of the general operating system. Creating database profiles, verifying user authorization at a field level and logging database access activities for monitoring access violations are all database-level access control functions.
2. Right Answer: A
Explanation: The use of application-level access control programs is a management control that restricts access by limiting users to only those functions needed to perform their duties. Data encryption and disabling floppy disk drives can restrict users to specific functions, but are not the best choices. A network monitoring device is a detective control, not a preventive control.
3. Right Answer: A
Explanation: Mandatory access controls are prohibitive; anything that is not expressly permitted is forbidden. Only within this context do discretionary controls operate, prohibiting still more access with the same exclusionary principle. When systems enforce mandatory access control policies, they must distinguish between these and the mandatory access policies that offer more flexibility.Discretionary controls do not override access controls and they do not have to be permitted in the security policy to be effective.
4. Right Answer: A
Explanation: Kerberos is a network authentication protocol for client-server applications that can be used to restrict access to the database to authorized users. Choices B andC are incorrect because vitality detection and multimodal biometrics are controls against spoofing and mimicry attacks. Before-image/after-image logging of database transactions is a detective control, as opposed to Kerberos, which is a preventative control.
5. Right Answer: A
Explanation: Information has varying degrees of sensitivity and criticality in meeting business objectives. By assigning classes or levels of sensitivity and criticality to information resources, management can establish guidelines for the level of access controls that should be assigned. End user management and the security administrator will use these classifications in their risk assessment process to assign a given class to each asset.
0 Comments
Leave a comment
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
