Ensurepass

 

QUESTION 351

A retail outlet has introduced radio frequency identification (RFID) tags to create unique serial numbers for all products. Which of the following is the PRIMARY concern associated with this initiative?

 

A.

Issues of privacy

B.

Wavelength can be absorbed by the human body

C.

RFID tags may not be removable

D.

RFID eliminates line-of-sight reading

 

Correct Answer: A

Explanation:

The purchaser of an item will not necessarily be aware of the presence of the tag. If a tagged item is paid for by credit card, it would be possible to tie the unique ID of that item to the identity of the purchaser. Privacy violations are a significant concern because
RFID can carry unique identifier numbers. If desired it would be possible for a firm to track individuals who purchase an item containing an RFID. Choices B and C are concerns of less importance. Choice D is not a concern.

 

 

QUESTION 352

Which of the following does a lack of adequate security controls represent?

 

A.

Threat

B.

Asset

C.

Impact

D.

Vulnerability

 

Correct Answer: D

Explanation:

The lack of adequate security controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers. This could result in a loss of sensitive information and lead to theloss of goodwill for the organization. A succinct definition of risk is provided by the Guidelines for the Management of IT Security published by the International Organization for Standardization (ISO), which defines risk as the ‘potential that a given threat will exploit the vulnerability of an asset or group of assets to cause loss or damage to the assets.’ The various elements of the definition are vulnerability, threat, asset and impact. Lack of adequate security functionalityin this context is a vulnerability.

 

 

QUESTION 353

When implementing an IT governance framework in an organization the MOST important objective is:

 

A.

IT alignment with the business.

B.

accountability.

C.

value realization with IT.

D.

enhancing the return on IT investments.

 

Correct Answer: A

Explanation:

The goals of IT governance are to improve IT performance, to deliver optimum business value and to ensure regulatory compliance. The key practice in support of these goals is the strategic alignment of IT with the business {choice A). To achieve alignment, all other choices need to be tied to business practices and strategies.

 

 

 

 

 

QUESTION 354

When developing a risk management program, what is the FIRST activity to be performed?

 

A.

Threat assessment

B.

Classification of data

C.

Inventory of assets

D.

Criticality analysis

 

Correct Answer: C

Explanation:

Identification of the assets to be protected is the first step in the development of a risk management program. A listing of the threats that can affect the performance of these assets and criticality analysis are later steps in the process. Data classification is required for defining access controls and in criticality analysis.

 

 

QUESTION 355

In an organization where an IT security baseline has been defined, an IS auditor should FIRST ensure:

 

A.

implementation.

B.

compliance.

C.

documentation.

D.

sufficiency.

 

Correct Answer: D

Explanation:

An IS auditor should first evaluate the definition of the minimum baseline level by ensuring the sufficiency of controls. Documentation, implementation and compliance are further steps.

 

 

QUESTION 356

A local area network (LAN) administrator normally would be restricted from:

 

A.

having end-user responsibilities.

B.

reporting to the end-user manager.

C.

having programming responsibilities.

D.

being responsible for LAN security administration.

 

Correct Answer: C

Explanation:

A LAN administrator should not have programming responsibilities but may have end-user responsibilities. The LAN administrator may report to the director of the IPF or, in a decentralized operation, to the end-user manager. In small organizations, the LAN administrator may also be responsible for security administration over the LAN.

 

 

QUESTION 357

Which of the following is a risk of cross-training?

 

A.

Increases the dependence on one employee

B.

Does not assist in succession planning

C.

One employee may know all parts of a system

D.

Does not help in achieving a continuity of operations

 

Correct Answer: C

Explanation:

When cross-training, it would be prudent to first assess the risk of any person knowing all parts of a system and what exposures this may cause. Cross-training has the advantage of decreasing dependence on one employee and, hence, can be part of succession planning. It also provides backup for personnel in the event of absence for any reason and thereby facilitates the continuity of operations.

 

 

QUESTION 358

A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential losses, the team should:

 

A.

compute the amortization of the related assets.

B.

calculate a return on investment (ROI).

C.

apply a qualitative approach.

D.

spend the time needed to define exactly the loss amount.

 

Correct Answer: C

Explanation:

The common practice, when it is difficult to calculate the financial losses, is to take a qualitative approach, in which the manager affected by the risk defines the financial loss in terms of a weighted factor {e.g., one is a very low impact to thebusiness and five is a very high impact). An ROI is computed when there is predictable savings or revenues that can be compared to the investment needed to realize the revenues. Amortization is used in a profit and loss statement, not in computing potential losses. Spending the time needed to define exactly the total amount is normally a wrong approach. If it has been difficult to estimate potential losses (e.g., losses derived from erosion of public image due to a hack attack), that situation is not likely to change, and at the end of the day, the result will be a not well-supported evaluation.

 

 

QUESTION 359

An IS auditor who is reviewing incident reports discovers that, in one instance, an important document left on an employee’s desk was removed and put in the garbage by the outsourced cleaning staff. Which of the following should the IS auditor recommend to management?

 

A.

Stricter controls should be implemented by both the organization and the cleaning agency.

B.

No action is required since such incidents have not occurred in the past.

C.

A clear desk policy should be implemented and strictly enforced in the organization.

D.

A sound backup policy for all important office documents should be implemented.

 

Correct Answer: A

Explanation:

An employee leaving an important document on a desk and the cleaning staff removing it may result in a serious impact on the business. Therefore, the IS auditor should recommend that strict controls be implemented by both the organization and the outsourced cleaning agency. That such incidents have not occurred in the past does not reduce the seriousness of their impact. Implementing and monitoring a clear desk policy addresses only one part of the issue. Appropriate confidentiality agreements with the cleaning agency, along with ensuring that the cleaning staff has been educated on the dos and don’ts of the cleaning process, are also controls that should be implemented. The risk here is not a loss of data, but leakage of data to unauthorized sources. A backup policy does not address the issue of unauthorized leakage of information.

 

 

QUESTION 360

Establishing the level of acceptable risk is the responsibility of:

 

A.

quality assurance management.

B.

senior business management.

C.

the chief information officer.

D.

the chief security officer.

 

Correct Answer: B

Explanation:

Senior management should establish the acceptable risk level, since they have the ultimate or final responsibility for the effective and efficient operation of the organization. Choices A, C and D should act as advisors to senior management in determining an acceptable risk level.

 

Free VCE & PDF File for Isaca CISA Real Exam

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …

Comments are closed.