You are correct, the answer is C. Show
A. Amortization is used in a profit and loss statement, not in computing potential losses. B. A return on investment (ROI) is computed when there is predictable savings or revenues that can be compared to the investment needed to realize the revenues. C. The common practice, when it is difficult to calculate the financial losses, is to take a qualitative approach, in which the manager affected by the risk defines the impact in terms of a weighted factor (e.g., one is a very low impact to the business and five is a very high impact). D. Spending the time needed to define exactly the total amount is normally a wrong approach. If it has been difficult to estimate potential losses (e.g., losses derived from erosion of public image due to a hack attack), that situation is not likely to change and, at the end of the day, the result will be a not well-supported evaluation. You are correct, the answer is D. A. A threat is anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm. A threat exists regardless of controls or a lack of controls. B. An asset is something of either tangible or intangible value that is worth protecting, including people, information, infrastructure, finances and reputation. The asset value is not affected by a lack of controls. C. Impact represents the outcome or result of a threat exploiting a vulnerability. A lack of controls would lead to a higher impact, but the lack of controls is defined as a vulnerability, not an impact. D. The lack of adequate security controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers. This could result in a loss of sensitive information and lead to the loss of goodwill for the organization. A succinct definition of risk is provided by the Guidelines for the Management of IT Security published by the International Organization for Standardization (ISO), which defines risk as the "potential that a given threat will exploit the vulnerability of an asset or group of assets to cause loss or damage to the assets." The various elements of the definition are vulnerability, threat, asset and impact. Lack of adequate security functionality in this context is a vulnerability. You are correct, the answer is B. A. Given that there may be slack time available on some of the other tasks not on the critical path, the resource allocation should be based on the project segments that affect delivery dates. B. Because adding resources may change the route of the critical path, the critical path must be reevaluated to ensure that additional resources will, in fact, shorten the project duration. C. Given that there may be slack time available on some of the other tasks not on the critical path, a factor such as the length of other tasks may or may not be affected. D. Depending on the skill level of the resources required or available, the addition of resources may not, in fact, shorten the time line. Therefore, the first step is to examine what resources are required to address the times on the critical path. You answered D. The correct answer is C. A. A project database may contain the information about control effectiveness for one specific project and updates to various parameters pertaining to the current status of that single project. B. Policy documents on project management set direction for the design, development, implementation and monitoring of the project. C. A project portfolio database is the basis for project portfolio management. It includes project data such as owner, schedules, objectives, project type, status and cost. Project portfolio management requires specific project portfolio reports. D. Program organization is the team required (steering committee, quality assurance, systems personnel, analyst, programmer, hardware support, etc.) to meet the delivery objectives of the projects. The latest ISACA CISA (Certified Information Systems Auditor) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the ISACA CISA exam and earn ISACA CISA certification. CISA Question 581QuestionThe IT balanced scorecard is a business governance tool intended to monitor IT performance evaluation indicators other than: A. financial results. AnswerA. financial results. ExplanationFinancial results have traditionally been the sole overall performance metric. The IT balanced scorecard (BSC) is an IT business governance tool aimed at monitoring IT performance evaluation indicators other than financial results. The IT BSC considers other key success factors, such as customer satisfaction, innovation capacity and processing. CISA Question 582QuestionDuring an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization’s operational risk documentation only contains a few broadly described IT risks. What is the MOST appropriate recommendation in this situation? A. Create an IT risk management
department and establish an IT risk framework with the aid of external risk management experts. AnswerD. Establish regular IT risk management meetings to identify and assess risks, and create a mitigation plan as input to the organization’s risk management. ExplanationEstablishing regular meetings is the best way to identify and assess risks in a medium- sized organization, to address responsibilities to the respective management and to keep the risk list and mitigation plans up to date. A medium-sized organization would normally not have a separate IT risk management department. Moreover, the risks are usually manageable enough so that external help would not be needed. While common risks may be covered by common industry standards, they cannot address the specific situation of an organization. Individual risks will not be discovered without a detailed assessment from within the organization. Splitting the one risk position into several is not sufficient. CISA Question 583QuestionAn IS auditor who is reviewing incident reports discovers that, in one instance, an important document left on an employee’s desk was removed and put in the garbage by the outsourced cleaning staff. Which of the following should the IS auditor recommend to management? A. Stricter controls should be implemented by both the organization and the cleaning agency. AnswerA. Stricter controls should be implemented by both the organization and the cleaning agency. ExplanationAn employee leaving an important document on a desk and the cleaning staff removing it may result in a serious impact on the business. CISA Question 584QuestionThe PRIMARY benefit of implementing a security program as part of a security governance framework is the: A. alignment of the IT activities with IS audit recommendations. AnswerB. enforcement of the management of security risks. ExplanationThe major benefit of implementing a security program is management’s assessment of risk and its mitigation to an appropriate level of risk, and the monitoring of the remaining residual risks. Recommendations, visions and objectives of the auditor and the chief information security officer (CISO) are usually included within a security program, but they would not be the major
benefit. CISA Question 585QuestionWhich of the following should be the MOST important consideration when deciding areas of priority for IT governance implementation? A. Process maturity AnswerC. Business risk ExplanationPriority should be given to those areas which represent a known risk to the enterprise’s operations. The level of process maturity, process performance and audit reports will feed into the decision making process. Those areas that represent real risk to the business should be given priority CISA Question 586QuestionAs a driver of IT governance, transparency of IT’s cost, value and risks is primarily achieved through: A. performance measurement. AnswerA. performance measurement. ExplanationPerformance measurement includes setting and monitoring measurable objectives of what the IT processes need to deliver {process outcome) and how they deliver it (process capability and performance). Strategic alignment primarily focuses on ensuring linkage of business and IT plans. Value delivery is about executing the value proposition throughout the delivery cycle. Resource management is about the optimal investment in and proper management of critical IT resources. Transparency is primarily achieved through performance measurement as it provides information to the stakeholders on how well the enterprise is performing when compared to objectives. CISA Question 587QuestionWhich of the following should be considered FIRST when implementing a risk management program? A. An understanding of the organization’s threat, vulnerability and risk profile AnswerA. An understanding of the organization’s threat, vulnerability and risk profile ExplanationImplementing risk management, as one of the outcomes of effective information security governance, would require a collective understanding of the
organization’s threat, vulnerability and risk profile as a first step. Based on this, an understanding of risk exposure and potential consequences of compromise could be determined. Risk management priorities based on potential consequences could then be developed. CISA Question 588QuestionAn IS auditor is reviewing an IT security risk management program. Measures of security risk should: A. address all of the network risks. AnswerC. take into account the entire IT environment. ExplanationWhen assessing IT security risk, it is important to take into account the entire IT environment. Measures of
security risk should focus on those areas with the highest criticality so as to achieve maximum risk reduction at the lowest possible cost. IT strategic plans are not granular enough to provide appropriate measures. CISA Question 589QuestionAn IS auditor reviewing the risk assessment process of an organization should FIRST: A. identify the reasonable threats to the information assets. AnswerC. identify and rank the information assets. ExplanationIdentification
and ranking of information assets-e.g., data criticality, locations of assets-will set the tone or scope of how to assess risk in relation to the organizational value of the asset. Second, the threats facing each of the organization’s assets should be analyzed according to their value to the organization. CISA Question 590QuestionA poor choice of passwords and transmission over unprotected communications lines are examples of: A. vulnerabilities. AnswerA. vulnerabilities. ExplanationVulnerabilities represent characteristics of information resources that may be exploited by a threat. Threats are circumstances or events with the potential to cause harm to information resources. Probabilities represent the likelihood of the occurrence of a threat, while impacts represent the outcome or result of a threat exploiting a vulnerability. Which of the following should be considered first when implementing a risk management program?C. D. Explanation: Implementing risk management, as one of the outcomes of effective information security governance, would require a collective understanding of the organization's threat, vulnerability and risk profile as a first step.
Is it appropriate for an IS auditor from a company that is considering outsourcing its is processing to request and review a copy of each vendor business continuity plan?No, because the service bureau's business continuity plan is proprietary information.
Which of the following methods best mitigates the risk of disclosing confidential information through the use of social networking sites?Providing security awareness training is the best method to mitigate the risk of disclosing confidential information on social networking sites. It is important to remember that users may access these services through other means such as mobile phones and home computers; therefore, awareness training is most critical.
|