CISA Domain 2 - Governance and
Management of IT Question And Answers
A comprehensive and effective email policy should address the issues of
email structure, policy enforcement, monitoring and:
a. recovery
b. retention
c. rebuilding
d. reuse - -B - besides a good practice, laws and regulations may require
an organization to keep information that has an impact on the financial
statements. The prevalence of lawsuits in which email communication is
held in the same regard as the official form of classic paper makes the
retention policy of corporate email a necessity.
- A Critical Business function...
a. a function that relies on one or more other functions
b. a function that has the lowest ale
c. a function that costs the most money
d. a function that many other functions rely on which the BCP ensures
timely resumption of - -D.
- A policy references a supporting document that identifies the steps
required to approve access to data. This supporting document is...
a. report
b. procedure
c. guideline
d. brochure - -b. procedures are for how something will be approved
- A service level agreement defines the relationship between what two
parties
a. consultant and vendor
b. employee and consultant
c. employer and employee
d. organization and vendor - -d. a SLA defines the relationship between
the organization and vendor
- a systems administrator suggests to their manager that they use a
subscription hot site in case of a disaster. Their manager informed them
that they cannot afford the expense of a subscription hot site. what should
they choose?
,a. cold site
b. boiling site
c. off site
d. backup site - -a. cold site
- A team conducting a risk analysis is having difficulty projecting the
financial losses that could result from a risk. To evaluate the potential
impact, the team should:
Select an answer:
A.
compute the amortization of the related assets.
B.
calculate a return on investment (ROI).
C.
apply a qualitative approach.
D.
spend the time needed to define the loss amount exactly. - -C - the
common practice when it is difficult to calculate the financial losses is to
take a qualitative approach, in which the manager affect by the risk
defines the impact in terms of a weighted factor (e.g. one is very low
impact to the business and 5 is a very high impact)
- After a control is put in place to mitigate a risk the resulting risk is
called ____
a. control gap
b. exposure factor
c. residual risk
d. mitigated risk - -c. residual risk - what's residual
- ALE (annual loss expectancy) 15k, ARO (annualized rate of occurrence
5, what's the single loss expectancy (SLO)
a. 3k
b. 75k
c. 5k
d. 20k - -a. 3k
- An auditor has established the risk and cost of an organizational loss.
After reviewing the report, management decides to respond by purchasing
insurance. this is an example of?
a. avoidance
b. mitigation
, c. transference
d. acceptance - -C.
- An auditor wants to see how an organization's risk management
program changes over time. What is the best approach to achieve this?
a. establish baselines
b. define and collect carefully chosen metrics
c. use risk management tools such as ArcSight
d. Follow an established risk management framework - -B. metrics can be
tracked on a dashboard
- An internal auditor is assisting the IT team in prioritizing their projects
for the next year. The auditor interviews users, administrators, and
managers in the IT department and records their recommendations based
upon their perceptions of risk. This is an example of what kind of approach
to risk analysis
a. qualitative
b. value based
c. accumulative
d. quantitative - -a. qualitative is more touchy feeling "on a scale of 1-10
which is more risky". Key word - perception of risk!
- An IT steering committee should:
a. include a mix of members from different departments and staff levels
b. ensure that IS security policies and procedures have been executed
properly
c. maintain minutes of its meetings and keep the board of directors
informed
d. be briefed about new trends and products at each meeting by a vendor
- -C - it is important to keep detailed IT steering committee minutes to
document the decisions and activities of the IT steering committee. The
board of directors should be informed about those decisions on a timely
basis
- An organization decides to discontinue the use of a software product
that has known security vulnerabilities. This is an example of...
a. risk mitigation
b. risk avoidance
c. risk assessment
d. threat reduction - -b. this is risk avoidance
- An organization determines that they are running a vulnerable web
server. Instead of patching the server they decide to put the service
behind an application firewall.
Management of IT Question And Answers
A comprehensive and effective email policy should address the issues of
email structure, policy enforcement, monitoring and:
a. recovery
b. retention
c. rebuilding
d. reuse - -B - besides a good practice, laws and regulations may require
an organization to keep information that has an impact on the financial
statements. The prevalence of lawsuits in which email communication is
held in the same regard as the official form of classic paper makes the
retention policy of corporate email a necessity.
- A Critical Business function...
a. a function that relies on one or more other functions
b. a function that has the lowest ale
c. a function that costs the most money
d. a function that many other functions rely on which the BCP ensures
timely resumption of - -D.
- A policy references a supporting document that identifies the steps
required to approve access to data. This supporting document is...
a. report
b. procedure
c. guideline
d. brochure - -b. procedures are for how something will be approved
- A service level agreement defines the relationship between what two
parties
a. consultant and vendor
b. employee and consultant
c. employer and employee
d. organization and vendor - -d. a SLA defines the relationship between
the organization and vendor
- a systems administrator suggests to their manager that they use a
subscription hot site in case of a disaster. Their manager informed them
that they cannot afford the expense of a subscription hot site. what should
they choose?
,a. cold site
b. boiling site
c. off site
d. backup site - -a. cold site
- A team conducting a risk analysis is having difficulty projecting the
financial losses that could result from a risk. To evaluate the potential
impact, the team should:
Select an answer:
A.
compute the amortization of the related assets.
B.
calculate a return on investment (ROI).
C.
apply a qualitative approach.
D.
spend the time needed to define the loss amount exactly. - -C - the
common practice when it is difficult to calculate the financial losses is to
take a qualitative approach, in which the manager affect by the risk
defines the impact in terms of a weighted factor (e.g. one is very low
impact to the business and 5 is a very high impact)
- After a control is put in place to mitigate a risk the resulting risk is
called ____
a. control gap
b. exposure factor
c. residual risk
d. mitigated risk - -c. residual risk - what's residual
- ALE (annual loss expectancy) 15k, ARO (annualized rate of occurrence
5, what's the single loss expectancy (SLO)
a. 3k
b. 75k
c. 5k
d. 20k - -a. 3k
- An auditor has established the risk and cost of an organizational loss.
After reviewing the report, management decides to respond by purchasing
insurance. this is an example of?
a. avoidance
b. mitigation
, c. transference
d. acceptance - -C.
- An auditor wants to see how an organization's risk management
program changes over time. What is the best approach to achieve this?
a. establish baselines
b. define and collect carefully chosen metrics
c. use risk management tools such as ArcSight
d. Follow an established risk management framework - -B. metrics can be
tracked on a dashboard
- An internal auditor is assisting the IT team in prioritizing their projects
for the next year. The auditor interviews users, administrators, and
managers in the IT department and records their recommendations based
upon their perceptions of risk. This is an example of what kind of approach
to risk analysis
a. qualitative
b. value based
c. accumulative
d. quantitative - -a. qualitative is more touchy feeling "on a scale of 1-10
which is more risky". Key word - perception of risk!
- An IT steering committee should:
a. include a mix of members from different departments and staff levels
b. ensure that IS security policies and procedures have been executed
properly
c. maintain minutes of its meetings and keep the board of directors
informed
d. be briefed about new trends and products at each meeting by a vendor
- -C - it is important to keep detailed IT steering committee minutes to
document the decisions and activities of the IT steering committee. The
board of directors should be informed about those decisions on a timely
basis
- An organization decides to discontinue the use of a software product
that has known security vulnerabilities. This is an example of...
a. risk mitigation
b. risk avoidance
c. risk assessment
d. threat reduction - -b. this is risk avoidance
- An organization determines that they are running a vulnerable web
server. Instead of patching the server they decide to put the service
behind an application firewall.
