CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
CISM—Certified Information Security Manager - Part 94
1. A risk assessment study carried out by an organization noted that there is no segmentation of the local area network (LAN). Network segmentation would reduce the potential impact of which of the following?
A) Denial of service (DoS) attacks
B) Traffic sniffing
C) Virus infections
D) IP address spoofing
2. The PRIMARY objective of an Internet usage policy is to prevent:
A) access to inappropriate sites.
B) downloading malicious code.
C) violation of copyright laws.
D) disruption of Internet access.
3. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. The vulnerability identified is:
A) broken authentication.
B) unvalidated input.
C) cross-site scripting.
D) structured query language (SQL) injection.
4. A test plan to validate the security controls of a new system should be developed during which phase of the project?
A) Testing
B) Initiation
C) Design
D) Development
5. The MOST effective way to ensure that outsourced service providers comply with the organization's information security policy would be:
A) service level monitoring.
B) penetration testing.
C) periodically auditing.
D) security awareness training.
A) Denial of service (DoS) attacks
B) Traffic sniffing
C) Virus infections
D) IP address spoofing
2. The PRIMARY objective of an Internet usage policy is to prevent:
A) access to inappropriate sites.
B) downloading malicious code.
C) violation of copyright laws.
D) disruption of Internet access.
3. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. The vulnerability identified is:
A) broken authentication.
B) unvalidated input.
C) cross-site scripting.
D) structured query language (SQL) injection.
4. A test plan to validate the security controls of a new system should be developed during which phase of the project?
A) Testing
B) Initiation
C) Design
D) Development
5. The MOST effective way to ensure that outsourced service providers comply with the organization's information security policy would be:
A) service level monitoring.
B) penetration testing.
C) periodically auditing.
D) security awareness training.
1. Right Answer: B
Explanation: Network segmentation reduces the impact of traffic sniffing by limiting the amount of traffic that may be visible on any one network segment. Network segmentation would not mitigate the risk posed by denial of service (DoS) attacks, virus infections or IP address spoofing since each of these would be able to traverse network segments.
2. Right Answer: D
Explanation: Unavailability of Internet access would cause a business disruption. The other three objectives are secondary.
3. Right Answer: A
Explanation: The authentication process is broken because, although the session is valid, the application should reauthenticate when the input parameters are changed. The review provided valid employee IDs, and valid input was processed. The problem here is the lack of reauthentication when the input parameters are changed.Cross-site scripting is not the problem in this case since the attack is not transferred to any other user's browser to obtain the output. Structured query language(SQL) injection is not a problem since input is provided as a valid employee ID and no SQL queries are injected to provide the output.
4. Right Answer: C
Explanation: In the design phase, security checkpoints are defined and a test plan is developed. The testing phase is too late since the system has already been developed and is in production testing. In the initiation phase, the basic security objective of the project is acknowledged. Development is the coding phase and is too late to consider test plans.
5. Right Answer: C
Explanation: Regular audit exercise can spot any gap in the information security compliance. Service level monitoring can only pinpoint operational issues in the organization's operational environment. Penetration testing can identify security vulnerability but cannot ensure information compliance Training can increase users' awareness on the information security policy, but is not more effective than auditing.
Explanation: Network segmentation reduces the impact of traffic sniffing by limiting the amount of traffic that may be visible on any one network segment. Network segmentation would not mitigate the risk posed by denial of service (DoS) attacks, virus infections or IP address spoofing since each of these would be able to traverse network segments.
2. Right Answer: D
Explanation: Unavailability of Internet access would cause a business disruption. The other three objectives are secondary.
3. Right Answer: A
Explanation: The authentication process is broken because, although the session is valid, the application should reauthenticate when the input parameters are changed. The review provided valid employee IDs, and valid input was processed. The problem here is the lack of reauthentication when the input parameters are changed.Cross-site scripting is not the problem in this case since the attack is not transferred to any other user's browser to obtain the output. Structured query language(SQL) injection is not a problem since input is provided as a valid employee ID and no SQL queries are injected to provide the output.
4. Right Answer: C
Explanation: In the design phase, security checkpoints are defined and a test plan is developed. The testing phase is too late since the system has already been developed and is in production testing. In the initiation phase, the basic security objective of the project is acknowledged. Development is the coding phase and is too late to consider test plans.
5. Right Answer: C
Explanation: Regular audit exercise can spot any gap in the information security compliance. Service level monitoring can only pinpoint operational issues in the organization's operational environment. Penetration testing can identify security vulnerability but cannot ensure information compliance Training can increase users' awareness on the information security policy, but is not more effective than auditing.
Tags:
it certification certified it it exams isaca certification isaca cgeit isaca cisa isaca cism isaca cobit 5 isaca crisc isaca questions practice exams pratice quests risc maangement it management it questions isaca answers isaca practice isaca dumps isaca test test questions questins and answer explanation0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment