CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
CISM—Certified Information Security Manager - Part 98
1. Which of the following is the BEST method to securely transfer a message?
A) Password-protected removable media
B) Facsimile transmission in a secured room
C) Using public key infrastructure (PKI) encryption
D) Steganography
2. Which of the following would be the FIRST step in establishing an information security program?
A) Develop the security policy.
B) Develop security operating procedures.
C) Develop the security plan.
D) Conduct a security controls study.
3. An organization has adopted a practice of regular staff rotation to minimize the risk of fraud and encourage cross training. Which type of authorization policy wouldBEST address this practice?
A) Multilevel
B) Role-based
C) Discretionary
D) Attribute-based
4. Which of the following is the MOST important reason for an information security review of contracts? To help ensure that:
A) the parties to the agreement can perform.
B) confidential data are not included in the agreement.
C) appropriate controls are included.
D) the right to audit is a requirement.
5. For virtual private network (VPN) access to the corporate network, the information security manager is requiring strong authentication. Which of the following is the strongest method to ensure that logging onto the network is secure?
A) Biometrics
B) Symmetric encryption keys
C) Secure Sockets Layer (SSL)-based authentication
D) Two-factor authentication
A) Password-protected removable media
B) Facsimile transmission in a secured room
C) Using public key infrastructure (PKI) encryption
D) Steganography
2. Which of the following would be the FIRST step in establishing an information security program?
A) Develop the security policy.
B) Develop security operating procedures.
C) Develop the security plan.
D) Conduct a security controls study.
3. An organization has adopted a practice of regular staff rotation to minimize the risk of fraud and encourage cross training. Which type of authorization policy wouldBEST address this practice?
A) Multilevel
B) Role-based
C) Discretionary
D) Attribute-based
4. Which of the following is the MOST important reason for an information security review of contracts? To help ensure that:
A) the parties to the agreement can perform.
B) confidential data are not included in the agreement.
C) appropriate controls are included.
D) the right to audit is a requirement.
5. For virtual private network (VPN) access to the corporate network, the information security manager is requiring strong authentication. Which of the following is the strongest method to ensure that logging onto the network is secure?
A) Biometrics
B) Symmetric encryption keys
C) Secure Sockets Layer (SSL)-based authentication
D) Two-factor authentication
1. Right Answer: C
Explanation: Using public key infrastructure (PKI) is currently accepted as the most secure method to transmit e-mail messages. PKI assures confidentiality, integrity and nonrepudiation. The other choices are not methods that are as secure as PKI. Steganography involves hiding a message in an image.
2. Right Answer: C
Explanation: A security plan must be developed to implement the security strategy. All of the other choices should follow the development of the security plan.
3. Right Answer: B
Explanation: A role-based policy will associate data access with the role performed by an individual, thus restricting access to data required to perform the individual's tasks.Multilevel policies are based on classifications and clearances. Discretionary policies leave access decisions up to information resource managers.
4. Right Answer: C
Explanation: Agreements with external parties can expose an organization to information security risks that must be assessed and appropriately mitigated. The ability of the parties to perform is normally the responsibility of legal and the business operation involved. Confidential information may be in the agreement by necessity and. while the information security manager can advise and provide approaches to protect the information, the responsibility rests with the business and legal. Audit rights may be one of many possible controls to include in a third-party agreement, but is not necessarily a contract requirement, depending on the nature of the agreement.
5. Right Answer: D
Explanation: Two-factor authentication requires more than one type of user authentication. While biometrics provides unique authentication, it is not strong by itself, unless aPIN or some other authentication factor is used with it. Biometric authentication by itself is also subject to replay attacks. A symmetric encryption method that uses the same secret key to encrypt and decrypt data is not a typical authentication mechanism for end users. This private key could still be compromised. SSL is the standard security technology for establishing an encrypted link between a web server and a browser. SSL is not an authentication mechanism. If SSL is used with a client certificate and a password, it would be a two-factor authentication.
Explanation: Using public key infrastructure (PKI) is currently accepted as the most secure method to transmit e-mail messages. PKI assures confidentiality, integrity and nonrepudiation. The other choices are not methods that are as secure as PKI. Steganography involves hiding a message in an image.
2. Right Answer: C
Explanation: A security plan must be developed to implement the security strategy. All of the other choices should follow the development of the security plan.
3. Right Answer: B
Explanation: A role-based policy will associate data access with the role performed by an individual, thus restricting access to data required to perform the individual's tasks.Multilevel policies are based on classifications and clearances. Discretionary policies leave access decisions up to information resource managers.
4. Right Answer: C
Explanation: Agreements with external parties can expose an organization to information security risks that must be assessed and appropriately mitigated. The ability of the parties to perform is normally the responsibility of legal and the business operation involved. Confidential information may be in the agreement by necessity and. while the information security manager can advise and provide approaches to protect the information, the responsibility rests with the business and legal. Audit rights may be one of many possible controls to include in a third-party agreement, but is not necessarily a contract requirement, depending on the nature of the agreement.
5. Right Answer: D
Explanation: Two-factor authentication requires more than one type of user authentication. While biometrics provides unique authentication, it is not strong by itself, unless aPIN or some other authentication factor is used with it. Biometric authentication by itself is also subject to replay attacks. A symmetric encryption method that uses the same secret key to encrypt and decrypt data is not a typical authentication mechanism for end users. This private key could still be compromised. SSL is the standard security technology for establishing an encrypted link between a web server and a browser. SSL is not an authentication mechanism. If SSL is used with a client certificate and a password, it would be a two-factor authentication.
Tags:
it certification certified it it exams isaca certification isaca cgeit isaca cisa isaca cism isaca cobit 5 isaca crisc isaca questions practice exams pratice quests risc maangement it management it questions isaca answers isaca practice isaca dumps isaca test test questions questins and answer explanation0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment