Beruflich Dokumente
Kultur Dokumente
Total points10/10
C. logging rules
D. user profiles.
Feedback
Explanation:
Security administration procedures require read-only access to security log files to ensure that,
once generated, the logs are not modified. Logs provide evidence and track suspicious
transactions and activities. Other options may require modification and hence write-access can also
be provided.
Explanation:
The hard disk should be demagnetized, since this will cause all of the bits to be set to zero,
eliminating any chance of retrieving information that was previously stored on the disk. Other options
may not be that effective.
(33) The major risk for lack of an authorization process for users of an
application would be:
1/1
A. many users can claim to be a specific user.
B. there is no way to limit role based access.
The correct answer is: B. there is no way to limit role based access.
Explanation:
(1) The risk that many users can claim to be a specific user can be better addressed by proper
authentication process rather than authorization.
(2) Without an appropriate authorization process, it will be impossible to establish functional limits
and accountability.
(3)Authorization process will not directly impact sharing user accounts. Other controls are required to
prevent sharing of user accounts.
(4)In absence of proper authorization process principle of least privilege cannot be assured.
The correct answer is: B. User accounts are created as per defined role (least privilege) with
expiration dates
Explanation:
(1)Creation of need based user ID and automated revocation of IDs as per expiration date will serve
as most effective control under the given scenario and options.
(2)Penalty clause in SLA may act as a deterrent control but automated revocations of IDs are more
effective method of control.
(3)Providing full access is a risky affair.
(4)Control in terms of providing rights to vendor management for deletion of IDs may not be reliable.
The correct answer is: B. access rules can be structured and better managed.
Explanation:
(1)Naming conventions helps for efficient management of access rules. It helps for defining
structured access rules. . The conventions can be structured, so resources beginning with the same
high level
qualifier can be governed by one or more generic rules. This reduces the number of rules
required to adequately protect resources, which in turn facilitates security administration and
maintenance efforts.
(2)Though as a generic rule, naming conventions ensures that names represent the utility, it will not
impact access controls.
(3) Naming convention in itself do not ensure that user access to resource is clearly identified.
Ensuring the clear and unique identification of user access to resources is handled by access control
rules and not naming conventions.
(4)Each organisation has its own standard for naming convention. Internationally recognized names
are not required to control access to resources.
Feedback
Explanation:
In any given scenario, following are the steps for implementing logical access controls:
Thus the first step in implementing access controls is an inventory of IS resources, which is the basis
for classification. Grouping of resources cannot be done without first determining the resources'
classifications.
(37) To improve the IS alignment with business, which of the following is the
best practice:
1/1
A. Outsourcing risks are managed.
B. Use of latest technology to operate business.
C. Structured way of sharing of business information.
D. Involvement of top management to mediate between business and information system.
Feedback
The correct answer is: D. Involvement of top management to mediate between business and
information system.
Explanation:
(1)Strategic alignment can be best assured by involvement of top management. Top management
who are very well aware of business objectives can derive maximum benefit from information system
by way of structure alignment.
(2)Management of outsourcing risk is a good practice however it does not necessarily ensures IS
alignment with business.
(3)Use of latest technology and structured way of information sharing may not be effective in
absence of mandate from top management.
Feedback
Explanation:
Though other factors are important to ensure all the requirements have been considered, best way is
to ensure that users are frequently engaged from early stage of software development. End users
anchor the value stream. Most software requirements techniques start by asking users what they
want or need the system to do.
Feedback
Explanation:
Low disaster tolerance indicates that systems are critical and has to be resumed at the earliest. RTO
is low for such systems. Hot sites are used for critical systems where disaster tolerance is low. In
case if disaster tolerance is high (i.e RTO/RPO are high), hot site may not be required and
arrangement can be made through cold/warm site.
B. Data encryption
C. HTTPs protocol
D. Network monitoring device
Feedback
Explanation:
The use of application-level access control programs is a management control that restricts
access by limiting users to only those functions needed to perform their duties.