search

An is auditor is reviewing an it security risk management program. measures of security risk should:

1 Jahrs vor
Kommentare: 0
Ansichten: 32

You are correct, the answer is C.

Show

A. Amortization is used in a profit and loss statement, not in computing potential losses.

B. A return on investment (ROI) is computed when there is predictable savings or revenues that can be compared to the investment needed to realize the revenues.

C. The common practice, when it is difficult to calculate the financial losses, is to take a qualitative approach, in which the manager affected by the risk defines the impact in terms of a weighted factor (e.g., one is a very low impact to the business and five is a very high impact).

D. Spending the time needed to define exactly the total amount is normally a wrong approach. If it has been difficult to estimate potential losses (e.g., losses derived from erosion of public image due to a hack attack), that situation is not likely to change and, at the end of the day, the result will be a not well-supported evaluation.

You are correct, the answer is D.

A. A threat is anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm. A threat exists regardless of controls or a lack of controls.

B. An asset is something of either tangible or intangible value that is worth protecting, including people, information, infrastructure, finances and reputation. The asset value is not affected by a lack of controls.

C. Impact represents the outcome or result of a threat exploiting a vulnerability. A lack of controls would lead to a higher impact, but the lack of controls is defined as a vulnerability, not an impact.

D. The lack of adequate security controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers. This could result in a loss of sensitive information and lead to the loss of goodwill for the organization. A succinct definition of risk is provided by the Guidelines for the Management of IT Security published by the International Organization for Standardization (ISO), which defines risk as the "potential that a given threat will exploit the vulnerability of an asset or group of assets to cause loss or damage to the assets." The various elements of the definition are vulnerability, threat, asset and impact. Lack of adequate security functionality in this context is a vulnerability.

You are correct, the answer is B.

A. Given that there may be slack time available on some of the other tasks not on the critical path, the resource allocation should be based on the project segments that affect delivery dates.

B. Because adding resources may change the route of the critical path, the critical path must be reevaluated to ensure that additional resources will, in fact, shorten the project duration.

C. Given that there may be slack time available on some of the other tasks not on the critical path, a factor such as the length of other tasks may or may not be affected.

D. Depending on the skill level of the resources required or available, the addition of resources may not, in fact, shorten the time line. Therefore, the first step is to examine what resources are required to address the times on the critical path.

You answered D. The correct answer is C.

A. A project database may contain the information about control effectiveness for one specific project and updates to various parameters pertaining to the current status of that single project.

B. Policy documents on project management set direction for the design, development, implementation and monitoring of the project.

C. A project portfolio database is the basis for project portfolio management. It includes project data such as owner, schedules, objectives, project type, status and cost. Project portfolio management requires specific project portfolio reports.

D. Program organization is the team required (steering committee, quality assurance, systems personnel, analyst, programmer, hardware support, etc.) to meet the delivery objectives of the projects.

The latest ISACA CISA (Certified Information Systems Auditor) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the ISACA CISA exam and earn ISACA CISA certification.

An is auditor is reviewing an it security risk management program. measures of security risk should:

CISA Question 581

Question

The IT balanced scorecard is a business governance tool intended to monitor IT performance evaluation indicators other than:

A. financial results.
B. customer satisfaction.
C. internal process efficiency.
D. innovation capacity.

Answer

A. financial results.

Explanation

Financial results have traditionally been the sole overall performance metric. The IT balanced scorecard (BSC) is an IT business governance tool aimed at monitoring IT performance evaluation indicators other than financial results. The IT BSC considers other key success factors, such as customer satisfaction, innovation capacity and processing.

CISA Question 582

Question

During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization’s operational risk documentation only contains a few broadly described IT risks. What is the MOST appropriate recommendation in this situation?

A. Create an IT risk management department and establish an IT risk framework with the aid of external risk management experts.
B. Use common industry standard aids to divide the existing risk documentation into several individual risks which will be easier to handle.
C. No recommendation is necessary since the current approach is appropriate for a medium-sized organization.
D. Establish regular IT risk management meetings to identify and assess risks, and create a mitigation plan as input to the organization’s risk management.

Answer

D. Establish regular IT risk management meetings to identify and assess risks, and create a mitigation plan as input to the organization’s risk management.

Explanation

Establishing regular meetings is the best way to identify and assess risks in a medium- sized organization, to address responsibilities to the respective management and to keep the risk list and mitigation plans up to date. A medium-sized organization would normally not have a separate IT risk management department. Moreover, the risks are usually manageable enough so that external help would not be needed. While common risks may be covered by common industry standards, they cannot address the specific situation of an organization. Individual risks will not be discovered without a detailed assessment from within the organization. Splitting the one risk position into several is not sufficient.

CISA Question 583

Question

An IS auditor who is reviewing incident reports discovers that, in one instance, an important document left on an employee’s desk was removed and put in the garbage by the outsourced cleaning staff. Which of the following should the IS auditor recommend to management?

A. Stricter controls should be implemented by both the organization and the cleaning agency.
B. No action is required since such incidents have not occurred in the past.
C. A clear desk policy should be implemented and strictly enforced in the organization.
D. A sound backup policy for all important office documents should be implemented.

Answer

A. Stricter controls should be implemented by both the organization and the cleaning agency.

Explanation

An employee leaving an important document on a desk and the cleaning staff removing it may result in a serious impact on the business.
Therefore, the IS auditor should recommend that strict controls be implemented by both the organization and the outsourced cleaning agency.
That such incidents have not occurred in the past does not reduce the seriousness of their impact.
Implementing and monitoring a clear desk policy addresses only one part of the issue. Appropriate confidentiality agreements with the cleaning agency, along with ensuring that the cleaning staff has been educated on the dos and don’ts of the cleaning process, are also controls that should be implemented. The risk here is not a loss of data, but leakage of data to unauthorized sources. A backup policy does not address the issue of unauthorized leakage of information.

CISA Question 584

Question

The PRIMARY benefit of implementing a security program as part of a security governance framework is the:

A. alignment of the IT activities with IS audit recommendations.
B. enforcement of the management of security risks.
C. implementation of the chief information security officer’s (CISO) recommendations.
D. reduction of the cost for IT security.

Answer

B. enforcement of the management of security risks.

Explanation

The major benefit of implementing a security program is management’s assessment of risk and its mitigation to an appropriate level of risk, and the monitoring of the remaining residual risks. Recommendations, visions and objectives of the auditor and the chief information security officer (CISO) are usually included within a security program, but they would not be the major benefit.
The cost of IT security may or may not be reduced.

CISA Question 585

Question

Which of the following should be the MOST important consideration when deciding areas of priority for IT governance implementation?

A. Process maturity
B. Performance indicators
C. Business risk
D. Assurance reports

Answer

C. Business risk

Explanation

Priority should be given to those areas which represent a known risk to the enterprise’s operations. The level of process maturity, process performance and audit reports will feed into the decision making process. Those areas that represent real risk to the business should be given priority

CISA Question 586

Question

As a driver of IT governance, transparency of IT’s cost, value and risks is primarily achieved through:

A. performance measurement.
B. strategic alignment.
C. value delivery.
D. resource management.

Answer

A. performance measurement.

Explanation

Performance measurement includes setting and monitoring measurable objectives of what the IT processes need to deliver {process outcome) and how they deliver it (process capability and performance). Strategic alignment primarily focuses on ensuring linkage of business and IT plans. Value delivery is about executing the value proposition throughout the delivery cycle. Resource management is about the optimal investment in and proper management of critical IT resources. Transparency is primarily achieved through performance measurement as it provides information to the stakeholders on how well the enterprise is performing when compared to objectives.

CISA Question 587

Question

Which of the following should be considered FIRST when implementing a risk management program?

A. An understanding of the organization’s threat, vulnerability and risk profile
B. An understanding of the risk exposures and the potential consequences of compromise
C. A determination of risk management priorities based on potential consequences
D. A risk mitigation strategy sufficient to keep risk consequences at an acceptable level

Answer

A. An understanding of the organization’s threat, vulnerability and risk profile

Explanation

Implementing risk management, as one of the outcomes of effective information security governance, would require a collective understanding of the organization’s threat, vulnerability and risk profile as a first step. Based on this, an understanding of risk exposure and potential consequences of compromise could be determined. Risk management priorities based on potential consequences could then be developed.
This would provide a basis for the formulation of strategies for risk mitigation sufficient to keep the consequences from risk at an acceptable level.

CISA Question 588

Question

An IS auditor is reviewing an IT security risk management program. Measures of security risk should:

A. address all of the network risks.
B. be tracked over time against the IT strategic plan.
C. take into account the entire IT environment.
D. result in the identification of vulnerability tolerances.

Answer

C. take into account the entire IT environment.

Explanation

When assessing IT security risk, it is important to take into account the entire IT environment. Measures of security risk should focus on those areas with the highest criticality so as to achieve maximum risk reduction at the lowest possible cost. IT strategic plans are not granular enough to provide appropriate measures.
Objective metrics must be tracked over time against measurable goals, thus the management of risk is enhanced by comparing today’s results against last week, last month, last quarter. Risk measures will profile assets on a network to objectively measure vulnerability risk. They do not identify tolerances.

CISA Question 589

Question

An IS auditor reviewing the risk assessment process of an organization should FIRST:

A. identify the reasonable threats to the information assets.
B. analyze the technical and organizational vulnerabilities.
C. identify and rank the information assets.
D. evaluate the effect of a potential security breach.

Answer

C. identify and rank the information assets.

Explanation

Identification and ranking of information assets-e.g., data criticality, locations of assets-will set the tone or scope of how to assess risk in relation to the organizational value of the asset. Second, the threats facing each of the organization’s assets should be analyzed according to their value to the organization.
Third, weaknesses should be identified so that controls can be evaluated to determine if they mitigate the weaknesses. Fourth, analyze how these weaknesses, in absence of given controls, would impact the organization information assets.

CISA Question 590

Question

A poor choice of passwords and transmission over unprotected communications lines are examples of:

A. vulnerabilities.
B. threats.
C. probabilities.
D. impacts.

Answer

A. vulnerabilities.

Explanation

Vulnerabilities represent characteristics of information resources that may be exploited by a threat. Threats are circumstances or events with the potential to cause harm to information resources. Probabilities represent the likelihood of the occurrence of a threat, while impacts represent the outcome or result of a threat exploiting a vulnerability.

Which of the following should be considered first when implementing a risk management program?

C. D. Explanation: Implementing risk management, as one of the outcomes of effective information security governance, would require a collective understanding of the organization's threat, vulnerability and risk profile as a first step.

Is it appropriate for an IS auditor from a company that is considering outsourcing its is processing to request and review a copy of each vendor business continuity plan?

No, because the service bureau's business continuity plan is proprietary information.

Which of the following methods best mitigates the risk of disclosing confidential information through the use of social networking sites?

Providing security awareness training is the best method to mitigate the risk of disclosing confidential information on social networking sites. It is important to remember that users may access these services through other means such as mobile phones and home computers; therefore, awareness training is most critical.

auditor reviewing security risk management program measures security risk

zusammenhängende Posts

Which of the following would be most important for an IS auditor to verify while conducting a business continuity audit?
Which of the following would be most important for an IS auditor to verify while conducting a business continuity audit?

Werbung

NEUESTEN NACHRICHTEN

What measures how well the solution will be accepted in a given opportunity?
1 Jahrs vor . durch FormlessAviation
Wenn der Hund tot ist beginnt ein neues Leben
1 Jahrs vor . durch DeliriousHurricane
Which of the following is a not a type of organizational information system?
1 Jahrs vor . durch CantankerousAssignment
Which of the following statements is true regarding an organizations culture
1 Jahrs vor . durch EnticingDucking
The system of behavioral rules and norms that emerge in a group is known as:
1 Jahrs vor . durch ElectromagneticRelativism
Mit kreditkarte bezahlen wenn konto leer
1 Jahrs vor . durch CommunistAllies
Mit jemandem auf kriegsfuß stehen bedeutung
1 Jahrs vor . durch SubliminalPundit
What are 3 of the most important criteria to keep in mind when evaluating a source?
1 Jahrs vor . durch CuteSorcery
Google scholar is a specialized search engine that provides which of the following?
1 Jahrs vor . durch SmartDiploma
Wie lange hat der Vermieter Zeit die Kündigung zu bestätigen
1 Jahrs vor . durch EphemeralProceedings

Werbung

Populer

Werbung

Um

Legal

Hilfe

Sozial

homeendejakoptzhthittr
Urheberrechte © © 2024 de.apacode Inc.