CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
1. Which of the following documents would be the BEST reference to determine whether access control mechanisms are appropriate for a critical application?
A) User security procedures
B) Business process flow
C) IT security policy
D) Regulatory requirements
2. Which of the following is the MOST important process that an information security manager needs to negotiate with an outsource service provider?
A) The right to conduct independent security reviews
B) A legally binding data protection agreement
C) Encryption between the organization and the provider
D) A joint risk assessment of the system
3. Which resource is the MOST effective in preventing physical access tailgating/piggybacking?
A) Card key door locks
B) Photo identification
C) Awareness training
D) Biometric scanners
4. In business critical applications, where shared access to elevated privileges by a small group is necessary, the BEST approach to implement adequate segregation of duties is to:
A) ensure access to individual functions can be granted to individual users only.
B) implement role-based access control in the application.
C) enforce manual procedures ensuring separation of conflicting duties.
D) create service accounts that can only be used by authorized team members.
5. In business-critical applications, user access should be approved by the:
A) information security manager.
B) data owner.
C) data custodian.
D) business management.
A) User security procedures
B) Business process flow
C) IT security policy
D) Regulatory requirements
2. Which of the following is the MOST important process that an information security manager needs to negotiate with an outsource service provider?
A) The right to conduct independent security reviews
B) A legally binding data protection agreement
C) Encryption between the organization and the provider
D) A joint risk assessment of the system
3. Which resource is the MOST effective in preventing physical access tailgating/piggybacking?
A) Card key door locks
B) Photo identification
C) Awareness training
D) Biometric scanners
4. In business critical applications, where shared access to elevated privileges by a small group is necessary, the BEST approach to implement adequate segregation of duties is to:
A) ensure access to individual functions can be granted to individual users only.
B) implement role-based access control in the application.
C) enforce manual procedures ensuring separation of conflicting duties.
D) create service accounts that can only be used by authorized team members.
5. In business-critical applications, user access should be approved by the:
A) information security manager.
B) data owner.
C) data custodian.
D) business management.
1. Right Answer: C
Explanation: IT management should ensure that mechanisms are implemented in line with IT security policy. Procedures are determined by the policy. A user security procedure does not describe the access control mechanism in place. The business process flow is not relevant to the access control mechanism. The organization's own policy and procedures should take into account regulatory requirements.
2. Right Answer: A
Explanation: A key requirement of an outsource contract involving critical business systems is the establishment of the organization's right to conduct independent security reviews of the provider's security controls. A legally binding data protection agreement is also critical, but secondary to choice A, which permits examination of the actual security controls prevailing over the system and. as such, is the more effective risk management tool. Network encryption of the link between the organization and the provider may well be a requirement, but is not as critical since it would also be included in choice A. A joint risk assessment of the system in conjunction with the outsource provider may be a compromise solution, should the right to conduct independent security reviews of the controls related to the system prove contractually difficult.
3. Right Answer: C
Explanation: Awareness training would most likely result in any attempted tailgating being challenged by the authorized employee. Choices A, B and D are physical controls that, by themselves, would not be effective against tailgating.
4. Right Answer: B
Explanation: Role-based access control is the best way to implement appropriate segregation of duties. Roles will have to be defined once and then the user could be changed from one role to another without redefining the content of the role each time. Access to individual functions will not ensure appropriate segregation of duties.Giving a user access to all functions and implementing, in parallel, a manual procedure ensuring segregation of duties is not an effective method, and would be difficult to enforce and monitor. Creating service accounts that can be used by authorized team members would not provide any help unless their roles are properly segregated.
5. Right Answer: B
Explanation: A data owner is in the best position to validate access rights to users due to their deep understanding of business requirements and of functional implementation within the application. This responsibility should be enforced by the policy. An information security manager will coordinate and execute the implementation of the role-based access control. A data custodian will ensure that proper safeguards are in place to protect the data from unauthorized access; it is not the data custodian's responsibility to assign access rights. Business management is not. in all cases, the owner of the data.
Explanation: IT management should ensure that mechanisms are implemented in line with IT security policy. Procedures are determined by the policy. A user security procedure does not describe the access control mechanism in place. The business process flow is not relevant to the access control mechanism. The organization's own policy and procedures should take into account regulatory requirements.
2. Right Answer: A
Explanation: A key requirement of an outsource contract involving critical business systems is the establishment of the organization's right to conduct independent security reviews of the provider's security controls. A legally binding data protection agreement is also critical, but secondary to choice A, which permits examination of the actual security controls prevailing over the system and. as such, is the more effective risk management tool. Network encryption of the link between the organization and the provider may well be a requirement, but is not as critical since it would also be included in choice A. A joint risk assessment of the system in conjunction with the outsource provider may be a compromise solution, should the right to conduct independent security reviews of the controls related to the system prove contractually difficult.
3. Right Answer: C
Explanation: Awareness training would most likely result in any attempted tailgating being challenged by the authorized employee. Choices A, B and D are physical controls that, by themselves, would not be effective against tailgating.
4. Right Answer: B
Explanation: Role-based access control is the best way to implement appropriate segregation of duties. Roles will have to be defined once and then the user could be changed from one role to another without redefining the content of the role each time. Access to individual functions will not ensure appropriate segregation of duties.Giving a user access to all functions and implementing, in parallel, a manual procedure ensuring segregation of duties is not an effective method, and would be difficult to enforce and monitor. Creating service accounts that can be used by authorized team members would not provide any help unless their roles are properly segregated.
5. Right Answer: B
Explanation: A data owner is in the best position to validate access rights to users due to their deep understanding of business requirements and of functional implementation within the application. This responsibility should be enforced by the policy. An information security manager will coordinate and execute the implementation of the role-based access control. A data custodian will ensure that proper safeguards are in place to protect the data from unauthorized access; it is not the data custodian's responsibility to assign access rights. Business management is not. in all cases, the owner of the data.
0 Comments
Leave a comment
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
